[Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?

Robert Bradley robert.bradley1 at gmail.com
Sat Apr 12 17:27:24 EDT 2014 

On 12/04/2014 21:54, Michael Richardson wrote:
> Robert Bradley <robert.bradley1 at gmail.com> wrote:
>     >> Did I understand that your dnsmasq is using 8.8.8.8 as it's upstream
>     >> forwarder, so your results are filtered through google?
>
>     > Yes, that's right.
>
> I think that there is some interaction between dnsmasq doing DNSSEC, and
> Google DNS doing it as well.  Can you try with some other open resolver that
> does not do DNSSEC resolution?

Switching to using 4.2.2.2 seems to work fine.  This may well be limited
to particular networks and servers though given that these are anycast
servers and Cloudflare is a CDN:

root at cerowrt:~# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
 1  *  *  *
 2  leed-core-2a-xe-1121-0.network.virginmedia.net (82.15.94.65)  9.146
ms  6.761 ms  7.251 ms
 3  manc-bb-1d-ae8-0.network.virginmedia.net (213.105.159.249)  7.819
ms  11.558 ms  7.666 ms
 4  manc-bb-2a-ae3-0.network.virginmedia.net (62.254.42.117)  13.453 ms 
49.300 ms  12.830 ms
 5  manc-bb-1c-ae2-0.network.virginmedia.net (62.254.42.114)  7.613 ms 
7.063 ms  7.924 ms
 6  tele-ic-3-ae0-0.network.virginmedia.net (212.43.163.70)  13.606 ms 
13.478 ms  14.151 ms
 7  tele-ic-2-ge-301-0.inet.ntl.com (212.250.14.105)  46.178 ms  51.208
ms  50.896 ms
 8  209.85.244.182 (209.85.244.182)  22.786 ms  209.85.244.184
(209.85.244.184)  14.510 ms  209.85.244.182 (209.85.244.182)  39.937 ms
 9  209.85.253.94 (209.85.253.94)  14.654 ms  209.85.245.2
(209.85.245.2)  19.117 ms  14.333 ms
10  66.249.95.173 (66.249.95.173)  29.301 ms  72.14.242.166
(72.14.242.166)  19.458 ms  20.342 ms
11  72.14.238.217 (72.14.238.217)  53.472 ms  72.14.238.41
(72.14.238.41)  20.340 ms  20.248 ms
12  *  *  *
13  google-public-dns-a.google.com (8.8.8.8)  18.814 ms  19.262 ms 
20.023 ms

root at cerowrt:~# traceroute 4.2.2.2
traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 38 byte packets
 1  *  *  *
 2  leed-core-2a-xe-1121-0.network.virginmedia.net (82.15.94.65)  6.979
ms  6.162 ms  5.474 ms
 3  manc-bb-1d-ae8-0.network.virginmedia.net (213.105.159.249)  6.553
ms  32.480 ms  7.849 ms
 4  manc-bb-2a-ae3-0.network.virginmedia.net (62.254.42.117)  13.485 ms 
13.117 ms  13.461 ms
 5  brhm-bb-2a-ae1-0.network.virginmedia.net (62.254.42.49)  9.660 ms 
9.528 ms  14.095 ms
 6  *  brhm-bb-1c-ae0-0.network.virginmedia.net (62.254.42.110)  9.213 ms  *
 7  213.161.65.149 (213.161.65.149)  14.674 ms  15.765 ms  15.385 ms
 8  4.68.70.77 (4.68.70.77)  15.200 ms  15.055 ms  15.223 ms
 9  vl-3603-ve-227.csw2.London1.Level3.net (4.69.166.153)  13.883 ms 
vl-3504-ve-118.csw1.London1.Level3.net (4.69.166.141)  18.986 ms 
vl-3502-ve-116.csw1.London1.Level3.net (4.69.166.133)  20.304 ms
10  ae-234-3610.edge5.london1.Level3.net (4.69.166.53)  13.229 ms 
ae-124-3510.edge5.london1.Level3.net (4.69.166.37)  18.553 ms 
ae-123-3509.edge5.London1.Level3.net (4.69.166.33)  20.394 ms
11  b.resolvers.Level3.net (4.2.2.2)  14.764 ms  14.026 ms  15.251 ms

-- 
Robert Bradley


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140412/287df6f2/attachment.sig>

More information about the Cerowrt-devel mailing list