[Cerowrt-devel] dnssec testing redux

Dave Taht dave.taht at gmail.com
Tue Mar 18 16:04:50 EDT 2014 

On Tue, Mar 18, 2014 at 3:24 PM, Török Edwin <edwin at etorok.net> wrote:
> On 03/18/2014 07:56 PM, Rich Brown wrote:
>> Folks,
>>
>> I have updated the 3.10 Release Note page to match my understanding of the 3.10.32-9 release of 14 March 2014. It would be good to get more eyes on the page to look for inconsistencies, outright errors, omissions, etc.  It's at: http://www.bufferbloat.net/projects/cerowrt/wiki/CeroWrt_310_Release_Notes
>>
>> Questions:
>>
>> - Please review the Features items. Any missing? Is DNSSEC enabled now?
>
> Good question.
> If I run 'dig test.dnssec-or-not.net TXT' 3 times in succession it tells me it is supported.
> Try again a minute later, and the query times out again. Well might be just my ISP's DNS servers being problematic.

Well, this query wedges an older cerowrt's dnsmasq thoroughly
(rendering it inoperable). But I haven't updated to -9 yet on that
box.

There were a few fixes to dnsmasq that I put into -10, but I haven't
tested it yet (and wasn't planning to).



> 1st one times out (after about 18s):
> $ dig test.dnssec-or-not.net TXT

This works from a very well connected host in under a second.

However, the TXT record is probably uncached, which accounts
for the major delays elsewhere. somewhat.

>
> ; <<>> DiG 9.9.5-2-Debian <<>> test.dnssec-or-not.net TXT
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> Second gives me no results:
> $ dig test.dnssec-or-not.net TXT
>
> ; <<>> DiG 9.9.5-2-Debian <<>> test.dnssec-or-not.net TXT
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51755
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;test.dnssec-or-not.net.                IN      TXT
>
> ;; Query time: 748 msec
> ;; SERVER: 172.30.42.1#53(172.30.42.1)
> ;; WHEN: Tue Mar 18 21:17:13 EET 2014
> ;; MSG SIZE  rcvd: 51
>
> Third tells me its good:
> dig test.dnssec-or-not.net TXT
>
> ; <<>> DiG 9.9.5-2-Debian <<>> test.dnssec-or-not.net TXT
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35187
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 3, ADDITIONAL: 5
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;test.dnssec-or-not.net.                IN      TXT
>
> ;; ANSWER SECTION:
> test.dnssec-or-not.net. 35      IN      CNAME   test.ad1b63b5bebca893.dnssec-or-not.net.
> test.dnssec-or-not.net. 35      IN      RRSIG   CNAME 5 3 60 20140417191653 20140318191653 2256 dnssec-or-not.net. m/Sg8YHkFV4iQW0W20G3iLVi+z+g4p+4919Ihq4hPrzQV6YRUNyzl1vm pjM1pxG2mPgpqkDIRROUJtoF7k4yz2F6QzJAhbV7o7En2/MBHTRO2BuU WoUrmBneWNxq43nbZXwYL01s7le0ff9MpQvtv14egOODa3zNuX++3htt W/Y=
> test.ad1b63b5bebca893.dnssec-or-not.net. 36 IN CNAME test.x.ad1b63b5bebca893.dnssec-or-not.net.
> test.ad1b63b5bebca893.dnssec-or-not.net. 36 IN RRSIG CNAME 5 4 60 20140417191654 20140318191654 35475 ad1b63b5bebca893.dnssec-or-not.net. PEudHM05Qsa7zfQtuXHSKP0n3RQttJeFa6ZE3IhYZcD1vP3ffxKDMxF0 TynSCirU2dpgI1pdW0VIwUZkkFeBZw7RGub2znAXqxieRqVE2pE1DGcq FAZyzy7BpvwIklBrnxidgngMdKJuXqq9ih+Kw2QrA03jFXTWIDhC/8Wq cM0=
> test.x.ad1b63b5bebca893.dnssec-or-not.net. 37 IN CNAME test.x.x.ad1b63b5bebca893.dnssec-or-not.net.
> test.x.ad1b63b5bebca893.dnssec-or-not.net. 37 IN RRSIG CNAME 5 5 60 20140417191654 20140318191654 51156 x.ad1b63b5bebca893.dnssec-or-not.net. rfm+D0Loe5hf3Qp6Qv6lypqlz/CXjcOqdCA3uxWnn/Sp8JBG//4bU7Kn +WZUAkz5DVnrb6Wj6j8UDVKjKeFbNoV6ypOMZvnDVjaZiyFIjZn5OKVb /Py4IaT1aazfuO+s30ymQrtGvlrR+nrBHsziEwxCoSFhfNLcysNsYHXL ycA=
> test.x.x.ad1b63b5bebca893.dnssec-or-not.net. 55 IN TXT "Yes, you are using DNSSEC"
> test.x.x.ad1b63b5bebca893.dnssec-or-not.net. 55 IN RRSIG TXT 5 6 60 20140417191712 20140318191712 52056 x.x.ad1b63b5bebca893.dnssec-or-not.net. CDxbTfIF7kD9XCZbQDNSjfnAAMkivDqKaXCVJGc1yusQuXbQqp1oWt9k chXbbv5osmkJQ60Ril113OEC63zHght+VNyCeigJvs8blUyjRs2GTC0e smDKUamlfT4xL5nC1LlXbKp7aMCjoyg1HV8cRZvJFWCTKMa5DLNCjcYX 2z4=
>
> ;; AUTHORITY SECTION:
> x.x.ad1b63b5bebca893.dnssec-or-not.net. 54 IN NS ns1.x.x.ad1b63b5bebca893.dnssec-or-not.net.
> x.x.ad1b63b5bebca893.dnssec-or-not.net. 54 IN NS ns0.x.x.ad1b63b5bebca893.dnssec-or-not.net.
> x.x.ad1b63b5bebca893.dnssec-or-not.net. 54 IN RRSIG NS 5 5 60 20140417191712 20140318191712 52056 x.x.ad1b63b5bebca893.dnssec-or-not.net. BkGyDiDy8xKUDQSTh01zdStU8H8FgxxTzhSnMw0tyuwg4dpPw/THlymB Ubk4a8x1p3OlrtFh2IBub2om7vg+jxYo5joi10fX8aNgRPF3UuV+62ve CFJ2IAfvmUvKVEWouY/Yv5kvoYNGqn/imxqE7Ni0U93VW9FuXkn1Y2tP hes=
>
> ;; ADDITIONAL SECTION:
> ns0.x.x.ad1b63b5bebca893.dnssec-or-not.net. 54 IN A 72.13.58.79
> ns1.x.x.ad1b63b5bebca893.dnssec-or-not.net. 54 IN A 72.13.58.99
> ns0.x.x.ad1b63b5bebca893.dnssec-or-not.net. 54 IN RRSIG A 5 6 60 20140417191712 20140318191712 52056 x.x.ad1b63b5bebca893.dnssec-or-not.net. FXg2lrSMdJ9WV5mVgON313mCyBnRkGVZRv8BlQCNty6bKhlc12/Fpamf LMmjSy5padZm17ocqOhC6jRFaaj+qeWjLDnArMTddqYk9ecwRTvlIpLL XNqUz/VphdWrXidfUftY8Chz/KVzJOM3FE/GDAFUAGoRaCBLalaYDFM6 1fM=
> ns1.x.x.ad1b63b5bebca893.dnssec-or-not.net. 54 IN RRSIG A 5 6 60 20140417191712 20140318191712 52056 x.x.ad1b63b5bebca893.dnssec-or-not.net. RrkstBIGWeZ1faMrn12mUap4eGeDnY492/dFISOmP3C/Ffo9mqBQc54x ELBZ7CCyLNIPp+o25fGvS+N8NJO5IqB2hsb+ShSqZzIGYVxCbHB8/OFN EqivXTRsygaoMXfIjIxK0IcefOSLs/MOV5PCjNjEw31OZsq8Gp4nQLWt V4c=
>
> ;; Query time: 20 msec
> ;; SERVER: 172.30.42.1#53(172.30.42.1)
> ;; WHEN: Tue Mar 18 21:17:19 EET 2014
> ;; MSG SIZE  rcvd: 1594
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel



-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

More information about the Cerowrt-devel mailing list