[Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?
dave.taht at gmail.com
Sat Apr 12 15:06:16 EDT 2014
I tweeted this thread to cloudflare.
On Sat, Apr 12, 2014 at 5:24 AM, Robert Bradley
<robert.bradley1 at gmail.com> wrote:
> On 12/04/2014 13:02, Toke Høiland-Jørgensen wrote:
>> Robert Bradley <robert.bradley1 at gmail.com> writes:
>>> That seems to suggest that it's the DS queries that are failing and
>>> that this is probably not a dnsmasq bug. Trying Verisign's DNSSEC
>>> debugger (http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com)
>>> seems to suggest that their nameservers refuse requests for DNSKEY
>> I seem to have no problems resolving either cloudfare.com or
>> cloudfare.net with dnssec validation enabled. But then I might have a
>> different view of their DNS infrastructure; I'm in Sweden...
>> You can try running dig with +dnssec +trace to see where in the chain
>> things go wrong...
> Using +dnssec +trace returns no errors, but that ends up bypassing both
> Google's DNS servers and dnsmasq in favour of going directly to the DNS
> root. It looks like there is some issue with 220.127.116.11 and 18.104.22.168
> disliking that particular domain (at least from a UK point of view), but
> I am unable to see what it is.
> Robert Bradley
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
More information about the Cerowrt-devel