On Wed, Apr 23, 2014 at 6:44 PM, Robert Bradley <robert.bradley1@gmail.com> wrote:

> ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 a
> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net

<snip rest of NOERROR response>

>
> But a query for DS on the same domain, which is what dnsmasq does next,
> returns SERVFAIL, _even_with_ checking disabled.
>
> ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 ds
> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net

<snip SERVFAIL response>

This looks identical to the *.cloudflare.com issue I had last week. In
both cases, using Level 3's 4.2.2.2 instead of Google DNS works fine,
and 8.8.8.8 returns SERVFAIL for DS lookups. This looks like a bug in
Google's DNS servers as opposed to dnsmasq...

A question about dnsmasq and multiple servers. If I listed both 4.2.2.2 and 8.8.8.8 in my dnsmasq configuration, how would dnsmasq behave in this case? would it query both for the DS? or just "stick" with the first server to start responding with an A-record?

(I confess that I don't know the details of DNS very well)

-Aaron