[Cerowrt-devel] [Dnsmasq-discuss] test-ipv6.com vs dnssec
Simon Kelley
simon at thekelleys.org.uk
Fri Apr 25 14:49:27 EDT 2014
On 25/04/14 19:01, Jim Gettys wrote:
> More specifically, after boot, most of the time test-ipv6.com reports lots
> of problems.
>
> Then I turned off both dnssec and dnssec-check-unsigned, and restarted
> dnsmasq; clean bill of health from test-ipv6.com.
>
> Then I turned on dnssec only, leaving dnssec-check-unsigned, and got a
> clean bill of health.
>
> Then I turned on both at the same time, and things are working.
>
> So we seem to have a boot time race of some sort.
> - Jim
>
>
test-ipv6.com is unsigned, so the important thing which is likely
failing is the query for the DS record of test-ipv6.com, which should
return NSEC records providing it doesn't exist, signed by .com
Simon.
>
> On Fri, Apr 25, 2014 at 1:39 PM, Dave Taht <dave.taht at gmail.com> wrote:
>
>> jg tells me the test-ipv6.com site fails with dnssec and enabled on
>> native ipv6.
>>
>> disabling dnssec works.
>>
>> anyone can confirm? get a log/packet capture?
>>
>>
>> --
>> Dave Täht
>> _______________________________________________
>> Cerowrt-devel mailing list
>> Cerowrt-devel at lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>>
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Cerowrt-devel
mailing list