[Cerowrt-devel] Had to disable dnssec today

Stephen Hemminger stephen at networkplumber.org
Fri May 16 23:25:00 EDT 2014


On Sat, 26 Apr 2014 13:38:08 +0200
Aaron Wood <woody77 at gmail.com> wrote:

> Just too many sites aren't working correctly with dnsmasq and using
> Google's DNS servers.
> 
> - Bank of America (sso-fi.bankofamerica.com)
> - Weather Underground (cdnjs.cloudflare.com)
> - Akamai (e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net)
> 
> And I'm not getting any traction with reporting the errors to those sites,
> so it's frustrating in getting it properly fixed.
> 
> While Akamai and cloudflare appear to be issues with their entries in
> google dns, or with dnsmasq's validation of them being insecure domains,
> the BofA issue appears to be an outright bad key.  And BofA isn't being
> helpful (just a continual "we use ssl" sort of quasi-automated response).
> 
> So I'm disabling it for now, or rather, falling back to using my ISP's dns
> servers, which don't support DNSSEC at this time.  I'll be periodically
> turning it back on, but too much is broken (mainly due to the cdns) to be
> able to rely on it at this time.
> 
> -Aaron

Ditto. I was holding out, but performance was much worse, many websites
would load poorly and got complaints from many errors from my customers (family).



More information about the Cerowrt-devel mailing list