From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ore.jhcloos.com (ore.jhcloos.com [198.147.23.85]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.jhcloos.com", Issuer "CA Cert Signing Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id D8F9C21F299 for ; Fri, 25 Apr 2014 11:54:17 -0700 (PDT) Received: by ore.jhcloos.com (Postfix, from userid 10) id AD6321E105; Fri, 25 Apr 2014 18:54:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=ore14; t=1398452056; bh=iJFUIyTi5TIxEZ20o4EjFzx1o8kZMRNGSRfKeyWydxE=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=fpGuFmK0b6eFqRe7ctle+Sg1FHeIN9FzN56F76fT94kLdAV9qVpHSIM4P8RiVFxVg re4vQW4VS5E1iG5dVThwixj8xED83aHCX4k4MUM47WKaqbzKcs9I6nmhYrMKSV1Ksh SdIogZOwT0l6H5Ip3uX0Yk5gxxrszB9Mc8gVvgPI= Received: by carbon.jhcloos.org (Postfix, from userid 500) id DE5C660022; Fri, 25 Apr 2014 18:45:25 +0000 (UTC) From: James Cloos To: In-Reply-To: (Jim Gettys's message of "Fri, 25 Apr 2014 14:01:37 -0400") References: User-Agent: Gnus/5.13001 (Ma Gnus v0.10) Emacs/24.4.50 (gnu/linux) Face: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAgMAAABinRfyAAAACVBMVEX///8ZGXBQKKnCrDQ3 AAAAJElEQVQImWNgQAAXzwQg4SKASgAlXIEEiwsSIYBEcLaAtMEAADJnB+kKcKioAAAAAElFTkSu QmCC Copyright: Copyright 2014 James Cloos OpenPGP: 0x997A9F17ED7DAEA6; url=https://jhcloos.com/public_key/0x997A9F17ED7DAEA6.asc OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6 Date: Fri, 25 Apr 2014 14:45:25 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Hashcash: 1:30:140425:cerowrt-devel@lists.bufferbloat.net::/1YzH30JD6Xkmc6N:0000000000000000000000000Ji4eE X-Hashcash: 1:30:140425:jg@freedesktop.org::471rLM9yy6iAwwCg:000000000000000000000000000000000000000000o1yfH X-Hashcash: 1:30:140425:dave.taht@gmail.com::NGUwrp5qPVCnJFlg:00000000000000000000000000000000000000000Y6vZr X-Hashcash: 1:30:140425:dnsmasq-discuss@lists.thekelleys.org.uk::qTzZCtcpFo/DbkPs:000000000000000000000AvC8/ Cc: dnsmasq-discuss Subject: Re: [Cerowrt-devel] test-ipv6.com vs dnssec X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 18:54:18 -0000 None of the posted examples which I've looked at have been dnssec signed. There must be a bug in how dnsmasq tries to prove the non-existance of the signatures. Unbound, running on a box inside of a openwrt nat, has no problems with any of them. To confirm whether the bug is in dnsmasq or at goog, someone should run their own verifying resolver (such as unbound) on a public box, open it just enough for their cerowrt to use it, configure it to log verbosely, and have their cero use it. If that also leads to fails, then dnsmasq has the bug. Otherwise, goog does something "interesting". How much ram is available in cero for the resolver? Unbound on glibc/ amd64 only needs a bit less than 78M virt, 18M rss (with a well-stocked cache). The other verifying resolvers probably need similar resources. Even back when I used a dialup, unbound was perfectly usable inside¹. The extra traffic from verifying from the roots down shouldn't hurt. 1] in its early days it could DoS, but that issue was fixed. -JimC -- James Cloos OpenPGP: 0x997A9F17ED7DAEA6