[Cerowrt-devel] test-ipv6.com vs dnssec

James Cloos cloos at jhcloos.com
Fri Apr 25 14:45:25 EDT 2014

None of the posted examples which I've looked at have been dnssec signed.

There must be a bug in how dnsmasq tries to prove the non-existance of
the signatures.

Unbound, running on a box inside of a openwrt nat, has no problems with
any of them.

To confirm whether the bug is in dnsmasq or at goog, someone should run
their own verifying resolver (such as unbound) on a public box, open it
just enough for their cerowrt to use it, configure it to log verbosely,
and have their cero use it.

If that also leads to fails, then dnsmasq has the bug.  Otherwise, goog
does something "interesting".

How much ram is available in cero for the resolver?  Unbound on glibc/
amd64 only needs a bit less than 78M virt, 18M rss (with a well-stocked
cache).  The other verifying resolvers probably need similar resources.

Even back when I used a dialup, unbound was perfectly usable insideĀ¹.
The extra traffic from verifying from the roots down shouldn't hurt.

1] in its early days it could DoS, but that issue was fixed.

James Cloos <cloos at jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6

More information about the Cerowrt-devel mailing list