[Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?
robert.bradley1 at gmail.com
Sat Apr 12 08:24:35 EDT 2014
On 12/04/2014 13:02, Toke Høiland-Jørgensen wrote:
> Robert Bradley <robert.bradley1 at gmail.com> writes:
>> That seems to suggest that it's the DS queries that are failing and
>> that this is probably not a dnsmasq bug. Trying Verisign's DNSSEC
>> debugger (http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com)
>> seems to suggest that their nameservers refuse requests for DNSKEY
> I seem to have no problems resolving either cloudfare.com or
> cloudfare.net with dnssec validation enabled. But then I might have a
> different view of their DNS infrastructure; I'm in Sweden...
> You can try running dig with +dnssec +trace to see where in the chain
> things go wrong...
Using +dnssec +trace returns no errors, but that ends up bypassing both
Google's DNS servers and dnsmasq in favour of going directly to the DNS
root. It looks like there is some issue with 126.96.36.199 and 188.8.131.52
disliking that particular domain (at least from a UK point of view), but
I am unable to see what it is.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 899 bytes
Desc: OpenPGP digital signature
More information about the Cerowrt-devel