From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 4117121F18E for ; Mon, 28 Apr 2014 12:45:29 -0700 (PDT) Received: by mail-ig0-f179.google.com with SMTP id hl10so5235376igb.12 for ; Mon, 28 Apr 2014 12:45:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Xip6XBKUMlbBmPGY6CVc/An7OaqDJSBLrn0JFcgzvDw=; b=aDI8CBadbxPCRoRydqMAoxrI8GFEVxIdx1Dq/xlBEEDvsfoyveibVkXq7kD1sqsqn3 yYIs2I8h5xEyKAzEp0OvQ+7Gvdjt2PUd0Wb0la+wk1DcJ4E2rkibOY5sU01F5UL2j7Z7 o51ykKcO07lnnwGRi5kiO23oHwoMrhxd5ofR9F4eC6d4rDKYh1Au7zobKqMrw7DTb30T GA4VjAd2aXQkBj3Ht/DIrf0X6vqq7pvNzapVVQEfbOTEkEAqPyojbZ3qnGxeDG2/2LZV 3SCOigbLuScHR1hnC2IO/cexGzXNQdt/aWR1pf5jf+er31rZhDgRxkxQeGGoS4qW3gUT N1vQ== MIME-Version: 1.0 X-Received: by 10.50.170.130 with SMTP id am2mr26065406igc.15.1398714328548; Mon, 28 Apr 2014 12:45:28 -0700 (PDT) Received: by 10.64.59.165 with HTTP; Mon, 28 Apr 2014 12:45:28 -0700 (PDT) In-Reply-To: <535EACCB.7090104@thekelleys.org.uk> References: <535EACCB.7090104@thekelleys.org.uk> Date: Mon, 28 Apr 2014 21:45:28 +0200 Message-ID: From: Aaron Wood To: Simon Kelley Content-Type: multipart/alternative; boundary=001a1134bb3ab20f2404f81f8e8f Cc: dnsmasq-discuss , "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] [Dnsmasq-discuss] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014 X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 19:45:29 -0000 --001a1134bb3ab20f2404f81f8e8f Content-Type: text/plain; charset=UTF-8 This timeout, I'm guessing this is older/naive setups that aren't expecting to support DNSSEC, and thought "over-securing" their setup, have managed to break the non-existence-proof process? -Aaron On Mon, Apr 28, 2014 at 9:32 PM, Simon Kelley wrote: ... > Neither of authoritative nameservers for test-ipv6.com return answers to > the DS query, they just time out. They do return answers for A and AAAA > queries. That looks broken to me. > > Problems like this have been at the root of most (but not all) of the > DNSSEC failures that have been reported. > --001a1134bb3ab20f2404f81f8e8f Content-Type: text/html; charset=UTF-8
This timeout, I'm guessing this is older/naive setups that aren't expecting to support DNSSEC, and thought "over-securing" their setup, have managed to break the non-existence-proof process?

-Aaron

On Mon, Apr 28, 2014 at 9:32 PM, Simon Kelley <simon@thekelleys.org.uk> wrote:

...
Neither of authoritative nameservers for test-ipv6.com return answers to
the DS query, they just time out. They do return answers for A and AAAA
queries. That looks broken to me.

Problems like this have been at the root of most (but not all) of the
DNSSEC failures that have been reported.
--001a1134bb3ab20f2404f81f8e8f--