[Cerowrt-devel] [Dnsmasq-discuss] more dnssec failures

Robert Bradley robert.bradley1 at gmail.com
Wed Apr 23 13:28:58 EDT 2014

On 23/04/2014 18:16, Robert Bradley wrote:
> On 23/04/2014 17:44, Robert Bradley wrote:
>> This looks identical to the *.cloudflare.com issue I had last week.  In
>> both cases, using Level 3's instead of Google DNS works fine,
>> and returns SERVFAIL for DS lookups.  This looks like a bug in
>> Google's DNS servers as opposed to dnsmasq...
> Digging into this further, it looks like the issue occurs for domain
> names where an A record exists but a DS record does not.  In the case
> where the A/AAAA record is non-existent, (e.g.
> dscc.akamaiedge.net.0.1.cn.akamaiedge.net. instead of e3191.<...> or
> non-existent.cloudflare.com), you get the expected NOERROR or NXDOMAIN
> response.  It would be worth testing this on a non-dual-stacked host or
> a subdomain without related A/AAAA records too.
Update 2:

This seems like it may actually be IPv6related somehow!  Testing with
IPv4-only domains using Cloudflare for DNS did not seem to trigger the

Robert Bradley

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140423/71a3e89f/attachment.sig>

More information about the Cerowrt-devel mailing list