[Cerowrt-devel] [Dnsmasq-discuss] more dnssec failures

Robert Bradley robert.bradley1 at gmail.com
Wed Apr 23 12:44:23 EDT 2014


On 23/04/2014 16:58, Simon Kelley wrote:
> On 23/04/14 16:42, Dave Taht wrote:
>> I will argue that a  better place to report  dnssec  validation
>> errors is the dnsmasq  list.
>>
>> On Wed, Apr 23, 2014 at 8:31 AM, Aaron Wood <woody77 at gmail.com> wrote:
>>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: query[A]
>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net from 172.30.42.99
>>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
>>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: dnssec-query[DS]
>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
>>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.4.4
>>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
>>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply
>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is BOGUS DS
>>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: validation result is
>>> BOGUS
>>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply
>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is 2.20.28.186
>>>
>>> This one validates via verisign, however.
>>>
> Something strange in that domain. Turning off DNSSEC with the
> checking-disabled bit, the original A-record query is OK
>
>
> ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 a
> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
<snip rest of NOERROR response>
>
> But a query for DS on the same domain, which is what dnsmasq does next,
> returns SERVFAIL, _even_with_ checking disabled.
>
> ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 ds
> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
<snip SERVFAIL response>

This looks identical to the *.cloudflare.com issue I had last week.  In
both cases, using Level 3's 4.2.2.2 instead of Google DNS works fine,
and 8.8.8.8 returns SERVFAIL for DS lookups.  This looks like a bug in
Google's DNS servers as opposed to dnsmasq...

-- 
Robert Bradley


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140423/318b54ba/attachment.sig>


More information about the Cerowrt-devel mailing list