<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Apr 23, 2014 at 5:58 PM, Simon Kelley <span dir="ltr"><<a href="mailto:simon@thekelleys.org.uk" target="_blank">simon@thekelleys.org.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On 23/04/14 16:42, Dave Taht wrote:<br>
> I will argue that a better place to report dnssec validation<br>
> errors is the dnsmasq list.<br>
><br>
> On Wed, Apr 23, 2014 at 8:31 AM, Aaron Wood <<a href="mailto:woody77@gmail.com">woody77@gmail.com</a>> wrote:<br>
>> Wed Apr 23 15:13:05 2014 <a href="http://daemon.info" target="_blank">daemon.info</a> dnsmasq[29719]: query[A]<br>
>> <a href="http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net" target="_blank">e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net</a> from 172.30.42.99<br>
>> Wed Apr 23 15:13:05 2014 <a href="http://daemon.info" target="_blank">daemon.info</a> dnsmasq[29719]: forwarded<br>
>> <a href="http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net" target="_blank">e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net</a> to 8.8.8.8<br>
>> Wed Apr 23 15:13:05 2014 <a href="http://daemon.info" target="_blank">daemon.info</a> dnsmasq[29719]: dnssec-query[DS]<br>
>> <a href="http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net" target="_blank">e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net</a> to 8.8.8.8<br>
>> Wed Apr 23 15:13:05 2014 <a href="http://daemon.info" target="_blank">daemon.info</a> dnsmasq[29719]: forwarded<br>
>> <a href="http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net" target="_blank">e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net</a> to 8.8.4.4<br>
>> Wed Apr 23 15:13:05 2014 <a href="http://daemon.info" target="_blank">daemon.info</a> dnsmasq[29719]: forwarded<br>
>> <a href="http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net" target="_blank">e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net</a> to 8.8.8.8<br>
>> Wed Apr 23 15:13:05 2014 <a href="http://daemon.info" target="_blank">daemon.info</a> dnsmasq[29719]: reply<br>
>> <a href="http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net" target="_blank">e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net</a> is BOGUS DS<br>
>> Wed Apr 23 15:13:05 2014 <a href="http://daemon.info" target="_blank">daemon.info</a> dnsmasq[29719]: validation result is<br>
>> BOGUS<br>
>> Wed Apr 23 15:13:05 2014 <a href="http://daemon.info" target="_blank">daemon.info</a> dnsmasq[29719]: reply<br>
>> <a href="http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net" target="_blank">e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net</a> is 2.20.28.186<br>
>><br>
>> This one validates via verisign, however.<br>
>><br>
<br>
</div>Something strange in that domain. Turning off DNSSEC with the<br>
checking-disabled bit, the original A-record query is OK</blockquote><div> </div><div>....</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Dnsmasq does the DS query next because the answer to the A query comes<br>
back unsigned, so dnsmasq is looking for a DS record that proves this is<br>
OK. It's likely that Verisign does that top-down (starting from the<br>
root) whilst dnsmasq does it bottom up. Hence Verisign never finds the<br>
broken DS, whilst dnsmasq does.<br>
<br>
That's as good an analysis as I can produce right now. Anyone who can<br>
shed more light, please do.<br><br>
(And yes, please report DNSSEC problems on the dnsmasq-discuss list for<br>
preference.)<br></blockquote><div><br></div><div>This is still persisting (and it appears to be blocking a bunch of Apple software update functions). From your comments, Simon, it sounds like you think this is an Akamai issue, and should be reported to them?</div>
<div><br></div><div>Thanks,</div><div>Aaron</div><div> </div></div></div></div>