[Cerowrt-devel] [Dnsmasq-discuss] more dnssec failures
Simon Kelley
simon at thekelleys.org.uk
Wed Apr 23 15:04:35 EDT 2014
On 23/04/14 18:29, Dave Taht wrote:
> On Wed, Apr 23, 2014 at 10:18 AM, Aaron Wood <woody77 at gmail.com> wrote:
>> On Wed, Apr 23, 2014 at 6:44 PM, Robert Bradley <robert.bradley1 at gmail.com>
>> wrote:
>>>
>>>
>>>> ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 a
>>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>>> <snip rest of NOERROR response>
>>>>
>>>> But a query for DS on the same domain, which is what dnsmasq does next,
>>>> returns SERVFAIL, _even_with_ checking disabled.
>>>>
>>>> ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 ds
>>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>>> <snip SERVFAIL response>
>>>
>>> This looks identical to the *.cloudflare.com issue I had last week. In
>>> both cases, using Level 3's 4.2.2.2 instead of Google DNS works fine,
>>> and 8.8.8.8 returns SERVFAIL for DS lookups. This looks like a bug in
>>> Google's DNS servers as opposed to dnsmasq...
>>
>>
>> A question about dnsmasq and multiple servers. If I listed both 4.2.2.2 and
>> 8.8.8.8 in my dnsmasq configuration, how would dnsmasq behave in this case?
>> would it query both for the DS? or just "stick" with the first server to
>> start responding with an A-record?
>
> By default dnsmasq probes for a "best" upstream dns server periodically
> and uses that.
subsequent queries needed to do DNSSEC validation of an initial answer
are always sent to the same server which provided that answer.
Simon.
>
>>
>> (I confess that I don't know the details of DNS very well)
>>
>> -Aaron
>>
>> _______________________________________________
>> Cerowrt-devel mailing list
>> Cerowrt-devel at lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>>
>
>
>
More information about the Cerowrt-devel
mailing list