[Cerowrt-devel] [Dnsmasq-discuss] more dnssec failures

Dave Taht dave.taht at gmail.com
Wed Apr 23 13:29:10 EDT 2014


On Wed, Apr 23, 2014 at 10:18 AM, Aaron Wood <woody77 at gmail.com> wrote:
> On Wed, Apr 23, 2014 at 6:44 PM, Robert Bradley <robert.bradley1 at gmail.com>
> wrote:
>>
>>
>> > ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 a
>> > e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>> <snip rest of NOERROR response>
>> >
>> > But a query for DS on the same domain, which is what dnsmasq does next,
>> > returns SERVFAIL, _even_with_ checking disabled.
>> >
>> > ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 ds
>> > e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>> <snip SERVFAIL response>
>>
>> This looks identical to the *.cloudflare.com issue I had last week.  In
>> both cases, using Level 3's 4.2.2.2 instead of Google DNS works fine,
>> and 8.8.8.8 returns SERVFAIL for DS lookups.  This looks like a bug in
>> Google's DNS servers as opposed to dnsmasq...
>
>
> A question about dnsmasq and multiple servers.  If I listed both 4.2.2.2 and
> 8.8.8.8 in my dnsmasq configuration, how would dnsmasq behave in this case?
> would it query both for the DS?  or just "stick" with the first server to
> start responding with an A-record?

By default dnsmasq probes for a "best" upstream dns server periodically
and uses that.

>
> (I confess that I don't know the details of DNS very well)
>
> -Aaron
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>



-- 
Dave Täht

NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article



More information about the Cerowrt-devel mailing list