[Cerowrt-devel] Had to disable dnssec today
Aaron Wood
woody77 at gmail.com
Fri May 16 23:58:19 EDT 2014
Now that I'm on Comcast, I'm going to try it again.
-Aaron
On Fri, May 16, 2014 at 8:25 PM, Stephen Hemminger <
stephen at networkplumber.org> wrote:
> On Sat, 26 Apr 2014 13:38:08 +0200
> Aaron Wood <woody77 at gmail.com> wrote:
>
> > Just too many sites aren't working correctly with dnsmasq and using
> > Google's DNS servers.
> >
> > - Bank of America (sso-fi.bankofamerica.com)
> > - Weather Underground (cdnjs.cloudflare.com)
> > - Akamai (e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net)
> >
> > And I'm not getting any traction with reporting the errors to those
> sites,
> > so it's frustrating in getting it properly fixed.
> >
> > While Akamai and cloudflare appear to be issues with their entries in
> > google dns, or with dnsmasq's validation of them being insecure domains,
> > the BofA issue appears to be an outright bad key. And BofA isn't being
> > helpful (just a continual "we use ssl" sort of quasi-automated response).
> >
> > So I'm disabling it for now, or rather, falling back to using my ISP's
> dns
> > servers, which don't support DNSSEC at this time. I'll be periodically
> > turning it back on, but too much is broken (mainly due to the cdns) to be
> > able to rely on it at this time.
> >
> > -Aaron
>
> Ditto. I was holding out, but performance was much worse, many websites
> would load poorly and got complaints from many errors from my customers
> (family).
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140516/3b01a453/attachment-0002.html>
More information about the Cerowrt-devel
mailing list