[Cerowrt-devel] [Dnsmasq-discuss] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014

Simon Kelley simon at thekelleys.org.uk
Mon Apr 28 15:32:27 EDT 2014 

On 28/04/14 19:56, Dave Taht wrote:
> I see A and AAAA requests for for "ds.test-ipv6.com" that fail.
> 

The root of this failure is that DS ds.test-ipv6.com is broken.

 <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 ds ds.test-ipv6.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63751
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ds.test-ipv6.com.		IN	DS

;; Query time: 1186 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Apr 28 20:19:34 2014
;; MSG SIZE  rcvd: 34

The latest fix I made (when the SERVFAIL reply comes, try the next
possible secure-nonexistent DS record at test-ipv6.com) works sometimes,
but the query above is taking long enough to fail that sometimes the
original requestor has timed out before it gets the answer and tries again.

Neither of authoritative nameservers for test-ipv6.com return answers to
the DS query, they just time out. They do return answers for A and AAAA
queries. That looks broken to me.

Problems like this have been at the root of most (but not all) of the
DNSSEC failures that have been reported.

Cheers,

Simon.

> 
> On Mon, Apr 28, 2014 at 11:37 AM, Dave Taht <dave.taht at gmail.com>
> wrote:
> 
>> I have put a link up to two of jim's captures going to test-ipv6
>> via cero, one with dnssec enabled, captured at the local laptop
>> 
>> http://snapon.lab.bufferbloat.net/~cero2/baddns/
>> 
>> definately a lot of missing responses when captured at this end.
>> the local laptop is using a local dnsmasq forwarder.
>> 
>> It is falling back to trying a recursive lookup on the default
>> domain ( ipv6.test-ipv6.com.home.lan ) - which it does do a
>> nxdomain for immediately...
>> 
>> 
>> 
>> On Mon, Apr 28, 2014 at 10:03 AM, Dave Taht <dave.taht at gmail.com>
>> wrote:
>> 
>>> 
>>> 
>>> 
>>> On Mon, Apr 28, 2014 at 9:55 AM, Jim Gettys <jg at freedesktop.org>
>>> wrote:
>>> 
>>>> ​​Comcast recently lit up IPv6 native dual stack in the Boston
>>>> area.
>>>> 
>>>> The http://test-ipv6.com/ web site complains about DNS problems
>>>> unless dnssec is disabled; if it is, I get various timeouts.
>>>> 
>>>> 
>>>> 
>>> Test with IPv4 DNS record
>>>> ok (4.196s) Test with IPv6 DNS record ok (0.115s) using ipv6 
>>>> Test with Dual Stack DNS record timeout (11.882s)
>>>> 
>>> 
>>> I  don't  know what this test does. try a local query over ipv6?
>>> 
>>> Test for Dual Stack DNS and large packet
>>>> timeout (11.817s) Test IPv4 without DNS ok (0.214s) using ipv4 
>>>> Test IPv6 without DNS ok (0.204s) using ipv6 Test IPv6 large
>>>> packet ok (0.120s) using ipv6 Test if your ISP's DNS server
>>>> uses IPv6 slow (8.752s) Find IPv4 Service Provider timeout
>>>> (11.968s) Find IPv6 Service Provider ok (0.126s) using ipv6 ASN
>>>> 7922 Test for buggy DNS undefined (5.003s)
>>>> 
>>>> DNS server addresses look reasonable for Comcast. DNS 1:
>>>> 75.75.75.75 DNS 2: 75.75.76.76
>>>> 
>>> 
>>> To try to isolate  things a little  bit, you can turn off
>>> fetching ipv4 dns servers with
>>> 
>>> option peerdns  '0'
>>> 
>>> in the wan (ge00) stanza  of /etc/config/network
>>> 
>>> and let the wan6 stanza fetch them.
>>> 
>>> A packet capture of it working vs not working would be good.
>>> 
>>> tcpdump  -i ge00 -w cap1.cap port 53
>>> 
>>> Also  capture on the local interface.
>>> 
>>> DNS 1: 2001:558:feed::1
>>>> DNS 2: 2001:558:feed::2
>>>> 
>>>> Today, the problem seems consistent with turning dnssec on and
>>>> off on the router.  If enabled, I have problems; if disabled, I
>>>> get a clean bill of health out of test-ipv6.com. - Jim
>>>> 
>>>> 
>>>> _______________________________________________ Cerowrt-devel
>>>> mailing list Cerowrt-devel at lists.bufferbloat.net 
>>>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>>>> 
>>>> 
>>> 
>>> 
>>> -- Dave Täht
>>> 
>>> NSFW: 
>>> https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
>>>
>>
>>
>>
>>
>>> 
--
>> Dave Täht
>> 
>> NSFW: 
>> https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
>>
>
>> 
> 
> 
> 
> 
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>

More information about the Cerowrt-devel mailing list