[Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?

Dave Taht dave.taht at gmail.com
Sat Apr 12 15:06:16 EDT 2014


I tweeted this thread to cloudflare.



On Sat, Apr 12, 2014 at 5:24 AM, Robert Bradley
<robert.bradley1 at gmail.com> wrote:
> On 12/04/2014 13:02, Toke Høiland-Jørgensen wrote:
>> Robert Bradley <robert.bradley1 at gmail.com> writes:
>>
>>> That seems to suggest that it's the DS queries that are failing and
>>> that this is probably not a dnsmasq bug. Trying Verisign's DNSSEC
>>> debugger (http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com)
>>> seems to suggest that their nameservers refuse requests for DNSKEY
>>> records.
>> I seem to have no problems resolving either cloudfare.com or
>> cloudfare.net with dnssec validation enabled. But then I might have a
>> different view of their DNS infrastructure; I'm in Sweden...
>>
>> You can try running dig with +dnssec +trace to see where in the chain
>> things go wrong...
>>
>> -Toke
>
> Using +dnssec +trace returns no errors, but that ends up bypassing both
> Google's DNS servers and dnsmasq in favour of going directly to the DNS
> root.  It looks like there is some issue with 8.8.8.8 and 8.8.4.4
> disliking that particular domain (at least from a UK point of view), but
> I am unable to see what it is.
>
> --
> Robert Bradley
>
>
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>



-- 
Dave Täht

NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article



More information about the Cerowrt-devel mailing list