[Cerowrt-devel] test-ipv6.com vs dnssec

Török Edwin edwin+ml-cerowrt at etorok.net
Fri Apr 25 15:24:07 EDT 2014

On 04/25/2014 09:01 PM, Jim Gettys wrote:
> More specifically, after boot, most of the time test-ipv6.com <http://test-ipv6.com> reports lots of problems.
> Then I turned off both dnssec and dnssec-check-unsigned, and restarted dnsmasq; clean bill of health from test-ipv6.com <http://test-ipv6.com>.
> So we seem to have a boot time race of some sort.

There is definitely something wrong when ipv6 is enabled (I just noticed that since my latest upgrade I forgot to enable it).
When I enable ipv6 for PPPoE, then IPv6 works in the sense I can ping6 stuff from the router ... except IPv4 is completely broken: there is no default route added according to 'ip route show',
and even if I add a default route machines from LAN still can't reach IPv4 (presumably firewall would need to be reloaded too?).
It doesn't seem to be dnssec related, as even if I turn both dnssec and dnssec-check-unsigned off the behaviour is still the same.
I haven't investigated more deeply whats wrong yet. Do you think it could be related to your race condition?

> Then I turned on dnssec only, leaving dnssec-check-unsigned, and got a clean bill of health.

I've been using this for a while, it gets me a 0/10 score, i.e. ipv4 works, ipv6 fails, dual stack works with ipv4.

> Then I turned on both at the same time, and things are working.

With both on I get a 'n/a' as a result, saying that dual-stack lookups timed out, presumably because ipv6 is off see below.

Best regards,

More information about the Cerowrt-devel mailing list