From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ie0-x22a.google.com (mail-ie0-x22a.google.com [IPv6:2607:f8b0:4001:c03::22a]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 61B4921F36B for ; Fri, 16 May 2014 20:58:20 -0700 (PDT) Received: by mail-ie0-f170.google.com with SMTP id at1so301213iec.29 for ; Fri, 16 May 2014 20:58:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=yxCceHEdOwLG7OAFfm3clu9+OQ30aA3wHM4D8wyLxNw=; b=bthIaYxuK5jaQzYF2ADUvXiwTanxTZgvJ0Z0KbZl8VL2ieCV4nb104g038bBOG0gz0 9r+WCnXpcSG7Px6CFYHY+5olNlvvWz2jnLWvz0NBlpbHo2WW+VtmI6/Wmx3fw+j+Hlyv W5FgO1juFuDPB9D5xHcgURj1SDlqrd7Z6Kc6hrZoIcDW5CagLihYLM8oZpeo0BmiNzKy LNeqijpsnoSzGvRu80ZD2zBA5862lwlJIcjeS48i2o1JkLjzZ4NusckZXjlVb+JPmKad iIB3Dodh+o74yAfIm6GJqY4BRuKGggSg6tcnIHa3+dY8eksOHePZY8AHB1cai2ITG/B1 fdAQ== MIME-Version: 1.0 X-Received: by 10.50.92.98 with SMTP id cl2mr1863863igb.14.1400299099630; Fri, 16 May 2014 20:58:19 -0700 (PDT) Received: by 10.64.59.165 with HTTP; Fri, 16 May 2014 20:58:19 -0700 (PDT) In-Reply-To: <20140516202500.364d7912@nehalam.linuxnetplumber.net> References: <20140516202500.364d7912@nehalam.linuxnetplumber.net> Date: Fri, 16 May 2014 20:58:19 -0700 Message-ID: From: Aaron Wood To: Stephen Hemminger Content-Type: multipart/alternative; boundary=047d7b11198569b26904f9908a71 Cc: dnsmasq-discuss , cerowrt-devel Subject: Re: [Cerowrt-devel] Had to disable dnssec today X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 May 2014 03:58:21 -0000 --047d7b11198569b26904f9908a71 Content-Type: text/plain; charset=UTF-8 Now that I'm on Comcast, I'm going to try it again. -Aaron On Fri, May 16, 2014 at 8:25 PM, Stephen Hemminger < stephen@networkplumber.org> wrote: > On Sat, 26 Apr 2014 13:38:08 +0200 > Aaron Wood wrote: > > > Just too many sites aren't working correctly with dnsmasq and using > > Google's DNS servers. > > > > - Bank of America (sso-fi.bankofamerica.com) > > - Weather Underground (cdnjs.cloudflare.com) > > - Akamai (e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net) > > > > And I'm not getting any traction with reporting the errors to those > sites, > > so it's frustrating in getting it properly fixed. > > > > While Akamai and cloudflare appear to be issues with their entries in > > google dns, or with dnsmasq's validation of them being insecure domains, > > the BofA issue appears to be an outright bad key. And BofA isn't being > > helpful (just a continual "we use ssl" sort of quasi-automated response). > > > > So I'm disabling it for now, or rather, falling back to using my ISP's > dns > > servers, which don't support DNSSEC at this time. I'll be periodically > > turning it back on, but too much is broken (mainly due to the cdns) to be > > able to rely on it at this time. > > > > -Aaron > > Ditto. I was holding out, but performance was much worse, many websites > would load poorly and got complaints from many errors from my customers > (family). > --047d7b11198569b26904f9908a71 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Now that I'm on Comcast, I'm going to try it again= .

-Aaron


<= div class=3D"gmail_quote">On Fri, May 16, 2014 at 8:25 PM, Stephen Hemminge= r <stephen@networkplumber.org> wrote:
On S= at, 26 Apr 2014 13:38:08 +0200
Aaron Wood <woody77@gmail.com&g= t; wrote:

> Just too many sites aren't working correctly with dnsmasq and usin= g
> Google's DNS servers.
>
> - Bank of America (sso-fi.bankofamerica.com)
> - Weather Underground (cdnjs.cloudflare.com)
> - Akamai (e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net)
>
> And I'm not getting any traction with reporting the errors to thos= e sites,
> so it's frustrating in getting it properly fixed.
>
> While Akamai and cloudflare appear to be issues with their entries in<= br> > google dns, or with dnsmasq's validation of them being insecure do= mains,
> the BofA issue appears to be an outright bad key. =C2=A0And BofA isn&#= 39;t being
> helpful (just a continual "we use ssl" sort of quasi-automat= ed response).
>
> So I'm disabling it for now, or rather, falling back to using my I= SP's dns
> servers, which don't support DNSSEC at this time. =C2=A0I'll b= e periodically
> turning it back on, but too much is broken (mainly due to the cdns) to= be
> able to rely on it at this time.
>
> -Aaron

Ditto. I was holding out, but performance was much worse, many = websites
would load poorly and got complaints from many errors from my customers (fa= mily).

--047d7b11198569b26904f9908a71--