[Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?

[Robert Bradley]

On 12/04/2014 13:02, Toke Høiland-Jørgensen wrote:
> Robert Bradley <robert.bradley1 at gmail.com> writes:
>
>> That seems to suggest that it's the DS queries that are failing and
>> that this is probably not a dnsmasq bug. Trying Verisign's DNSSEC
>> debugger (http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com)
>> seems to suggest that their nameservers refuse requests for DNSKEY
>> records.
> I seem to have no problems resolving either cloudfare.com or
> cloudfare.net with dnssec validation enabled. But then I might have a
> different view of their DNS infrastructure; I'm in Sweden...
>
> You can try running dig with +dnssec +trace to see where in the chain
> things go wrong...
>
> -Toke

Using +dnssec +trace returns no errors, but that ends up bypassing both
Google's DNS servers and dnsmasq in favour of going directly to the DNS
root.  It looks like there is some issue with 8.8.8.8 and 8.8.4.4
disliking that particular domain (at least from a UK point of view), but
I am unable to see what it is.

-- 
Robert Bradley


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140412/82931f70/attachment.sig>