From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 628EC21F2C7 for ; Sat, 26 Apr 2014 04:38:10 -0700 (PDT) Received: by mail-ig0-f177.google.com with SMTP id h3so3149616igd.16 for ; Sat, 26 Apr 2014 04:38:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=v59LS2JQq6RIrUJvg/0qDxnb1I0omolhX4MpL1+YBSA=; b=XysCJZne5L7UO4HFKklexfb/8vI0H5MQGiHN73YqjzxvbulCXaeroE/7T8fBQ7tMRg UsZYteclRWEXglfe3pZ0HAhe8Gd9ru4Lo3Td5wCsEVWldkJq1YViIBel8PD8lwJGks7L qxi2/rayMayHzpvvsGr+vLC8llqYX2G/1+VHd9pBX7Hyognqj6OVOo7E8inG+BBEKT6a h5iWHebv4iVUTIZmuTvoAQd3y0X6qEA+43pi9ug7uZ3a37I7d/JuzQDgXy7POczinx/q AYEl68WZ9UfWMra60TcyxdqFOCtI005ay9i0m5/11nfBxpCKqbhPTT6p8usse8pSPyr7 jKaQ== MIME-Version: 1.0 X-Received: by 10.43.134.3 with SMTP id ia3mr981273icc.69.1398512288686; Sat, 26 Apr 2014 04:38:08 -0700 (PDT) Received: by 10.64.59.165 with HTTP; Sat, 26 Apr 2014 04:38:08 -0700 (PDT) Date: Sat, 26 Apr 2014 13:38:08 +0200 Message-ID: From: Aaron Wood To: cerowrt-devel , dnsmasq-discuss Content-Type: multipart/alternative; boundary=20cf307cfea62e683d04f7f084a9 Subject: [Cerowrt-devel] Had to disable dnssec today X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Apr 2014 11:38:11 -0000 --20cf307cfea62e683d04f7f084a9 Content-Type: text/plain; charset=UTF-8 Just too many sites aren't working correctly with dnsmasq and using Google's DNS servers. - Bank of America (sso-fi.bankofamerica.com) - Weather Underground (cdnjs.cloudflare.com) - Akamai (e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net) And I'm not getting any traction with reporting the errors to those sites, so it's frustrating in getting it properly fixed. While Akamai and cloudflare appear to be issues with their entries in google dns, or with dnsmasq's validation of them being insecure domains, the BofA issue appears to be an outright bad key. And BofA isn't being helpful (just a continual "we use ssl" sort of quasi-automated response). So I'm disabling it for now, or rather, falling back to using my ISP's dns servers, which don't support DNSSEC at this time. I'll be periodically turning it back on, but too much is broken (mainly due to the cdns) to be able to rely on it at this time. -Aaron --20cf307cfea62e683d04f7f084a9 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Just too many sites aren't working correctly with dnsm= asq and using Google's DNS servers.

- Bank of Americ= a (sso-fi.bankofamerica.com= )
- Weather Underground (cdnjs.c= loudflare.com)

And I'm not getting any traction with reporting the= errors to those sites, so it's frustrating in getting it properly fixe= d.

While Akamai and cloudflare appear to be issues= with their entries in google dns, or with dnsmasq's validation of them= being insecure domains, the BofA issue appears to be an outright bad key. = =C2=A0And BofA isn't being helpful (just a continual "we use ssl&q= uot; sort of quasi-automated response).

So I'm disabling it for now, or rather, falling bac= k to using my ISP's dns servers, which don't support DNSSEC at this= time. =C2=A0I'll be periodically turning it back on, but too much is b= roken (mainly due to the cdns) to be able to rely on it at this time.

-Aaron


--20cf307cfea62e683d04f7f084a9--