From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ie0-x22f.google.com (mail-ie0-x22f.google.com [IPv6:2607:f8b0:4001:c03::22f]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 151AD21F1C6 for ; Wed, 23 Apr 2014 10:18:40 -0700 (PDT) Received: by mail-ie0-f175.google.com with SMTP id to1so1226803ieb.34 for ; Wed, 23 Apr 2014 10:18:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=KzRuvNKS76F26DlPT7nFaiL6r2LDWadBlzHpEkdEaoA=; b=AFcORP9Iyt/mHG+qUe/awiFVmk4QSrvZOTyby+iJxAm0SWJs+P+/08qgnKns+ub4pz 38Vr+I3Gws08LTIPS149c9Z3yBJcn3yvzaIOsiZispeMpp3SkfUH5hk52FCKo253nx/W UpUa0owrDavPgIexjJpJErIe1FwErplPagp9oskRM2CAxm8ZN+aM0kObeVa5kuFKWbsu d4ZNa7c16Q9aOyW2UadBR0/g6wM5oqx97ihPJQagnSVNJrd5FyIrKdBhKubjjCNV/3Mp 8E6F8SpvYI10N6aKQ7oF3ozvvYBprd93z/prkoWFvgHZaJtRRcE4qfRK5m2IlOgPLioV DtEw== MIME-Version: 1.0 X-Received: by 10.42.50.3 with SMTP id y3mr45590663icf.12.1398273519382; Wed, 23 Apr 2014 10:18:39 -0700 (PDT) Received: by 10.64.238.70 with HTTP; Wed, 23 Apr 2014 10:18:39 -0700 (PDT) In-Reply-To: <5357EDE7.2000409@gmail.com> References: <5357E336.6070406@thekelleys.org.uk> <5357EDE7.2000409@gmail.com> Date: Wed, 23 Apr 2014 19:18:39 +0200 Message-ID: From: Aaron Wood To: Robert Bradley Content-Type: multipart/alternative; boundary=90e6ba1efb966bf6fc04f7b8ec6c Cc: Dnsmasq-discuss@lists.thekelleys.org.uk, cerowrt-devel Subject: Re: [Cerowrt-devel] [Dnsmasq-discuss] more dnssec failures X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 17:18:40 -0000 --90e6ba1efb966bf6fc04f7b8ec6c Content-Type: text/plain; charset=UTF-8 On Wed, Apr 23, 2014 at 6:44 PM, Robert Bradley wrote: > > > ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 a > > e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net > > > > > But a query for DS on the same domain, which is what dnsmasq does next, > > returns SERVFAIL, _even_with_ checking disabled. > > > > ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 ds > > e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net > > > This looks identical to the *.cloudflare.com issue I had last week. In > both cases, using Level 3's 4.2.2.2 instead of Google DNS works fine, > and 8.8.8.8 returns SERVFAIL for DS lookups. This looks like a bug in > Google's DNS servers as opposed to dnsmasq... > A question about dnsmasq and multiple servers. If I listed both 4.2.2.2 and 8.8.8.8 in my dnsmasq configuration, how would dnsmasq behave in this case? would it query both for the DS? or just "stick" with the first server to start responding with an A-record? (I confess that I don't know the details of DNS very well) -Aaron --90e6ba1efb966bf6fc04f7b8ec6c Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On W= ed, Apr 23, 2014 at 6:44 PM, Robert Bradley <robert.bradley1@gma= il.com> wrote:

> ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 a
> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
<snip rest of NOERROR response>
>
> But a query for DS on the same domain, which is what dnsmasq does next= ,
> returns SERVFAIL, _even_with_ checking disabled.
>
> ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 ds
> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
<snip SERVFAIL response>

This looks identical to the *.cloudflare.com issue I had last week. =C2=A0In
both cases, using Level 3's 4.2.2.2 instead of Google DNS works fine, and 8.8.8.8 returns SERVFAIL for DS lookups. =C2=A0This looks like a bug in=
Google's DNS servers as opposed to dnsmasq...

=
A question about dnsmasq and multiple servers. =C2=A0If I listed= both 4.2.2.2 and 8.8.8.8 in my dnsmasq configuration, how would dnsmasq be= have in this case? =C2=A0would it query both for the DS? =C2=A0or just &quo= t;stick" with the first server to start responding with an A-record?

(I confess that I don't know the details of DNS ver= y well)

-Aaron
--90e6ba1efb966bf6fc04f7b8ec6c--