[Cerowrt-devel] [Dnsmasq-discuss] more dnssec failures
simon at thekelleys.org.uk
Wed Apr 23 15:04:35 EDT 2014
On 23/04/14 18:29, Dave Taht wrote:
> On Wed, Apr 23, 2014 at 10:18 AM, Aaron Wood <woody77 at gmail.com> wrote:
>> On Wed, Apr 23, 2014 at 6:44 PM, Robert Bradley <robert.bradley1 at gmail.com>
>>>> ; <<>> DiG 9.8.1-P1 <<>> +cd @22.214.171.124 a
>>> <snip rest of NOERROR response>
>>>> But a query for DS on the same domain, which is what dnsmasq does next,
>>>> returns SERVFAIL, _even_with_ checking disabled.
>>>> ; <<>> DiG 9.8.1-P1 <<>> +cd @126.96.36.199 ds
>>> <snip SERVFAIL response>
>>> This looks identical to the *.cloudflare.com issue I had last week. In
>>> both cases, using Level 3's 188.8.131.52 instead of Google DNS works fine,
>>> and 184.108.40.206 returns SERVFAIL for DS lookups. This looks like a bug in
>>> Google's DNS servers as opposed to dnsmasq...
>> A question about dnsmasq and multiple servers. If I listed both 220.127.116.11 and
>> 18.104.22.168 in my dnsmasq configuration, how would dnsmasq behave in this case?
>> would it query both for the DS? or just "stick" with the first server to
>> start responding with an A-record?
> By default dnsmasq probes for a "best" upstream dns server periodically
> and uses that.
subsequent queries needed to do DNSSEC validation of an initial answer
are always sent to the same server which provided that answer.
>> (I confess that I don't know the details of DNS very well)
>> Cerowrt-devel mailing list
>> Cerowrt-devel at lists.bufferbloat.net
More information about the Cerowrt-devel