[Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?

Robert Bradley robert.bradley1 at gmail.com
Sat Apr 12 08:24:35 EDT 2014

On 12/04/2014 13:02, Toke Høiland-Jørgensen wrote:
> Robert Bradley <robert.bradley1 at gmail.com> writes:
>> That seems to suggest that it's the DS queries that are failing and
>> that this is probably not a dnsmasq bug. Trying Verisign's DNSSEC
>> debugger (http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com)
>> seems to suggest that their nameservers refuse requests for DNSKEY
>> records.
> I seem to have no problems resolving either cloudfare.com or
> cloudfare.net with dnssec validation enabled. But then I might have a
> different view of their DNS infrastructure; I'm in Sweden...
> You can try running dig with +dnssec +trace to see where in the chain
> things go wrong...
> -Toke

Using +dnssec +trace returns no errors, but that ends up bypassing both
Google's DNS servers and dnsmasq in favour of going directly to the DNS
root.  It looks like there is some issue with and
disliking that particular domain (at least from a UK point of view), but
I am unable to see what it is.

Robert Bradley

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140412/82931f70/attachment.sig>

More information about the Cerowrt-devel mailing list