[Cerowrt-devel] [Dnsmasq-discuss] more dnssec failures
Dave Taht
dave.taht at gmail.com
Wed Apr 23 13:29:10 EDT 2014
On Wed, Apr 23, 2014 at 10:18 AM, Aaron Wood <woody77 at gmail.com> wrote:
> On Wed, Apr 23, 2014 at 6:44 PM, Robert Bradley <robert.bradley1 at gmail.com>
> wrote:
>>
>>
>> > ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 a
>> > e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>> <snip rest of NOERROR response>
>> >
>> > But a query for DS on the same domain, which is what dnsmasq does next,
>> > returns SERVFAIL, _even_with_ checking disabled.
>> >
>> > ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 ds
>> > e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>> <snip SERVFAIL response>
>>
>> This looks identical to the *.cloudflare.com issue I had last week. In
>> both cases, using Level 3's 4.2.2.2 instead of Google DNS works fine,
>> and 8.8.8.8 returns SERVFAIL for DS lookups. This looks like a bug in
>> Google's DNS servers as opposed to dnsmasq...
>
>
> A question about dnsmasq and multiple servers. If I listed both 4.2.2.2 and
> 8.8.8.8 in my dnsmasq configuration, how would dnsmasq behave in this case?
> would it query both for the DS? or just "stick" with the first server to
> start responding with an A-record?
By default dnsmasq probes for a "best" upstream dns server periodically
and uses that.
>
> (I confess that I don't know the details of DNS very well)
>
> -Aaron
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>
--
Dave Täht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
More information about the Cerowrt-devel
mailing list