<div dir="ltr">David,<div><br></div><div>With two of them (akamai and cloudflare), I _think_ it's a dnsmasq issue with the DS records for proving insecure domains are insecure. But Simon Kelley would know that better than I.</div>
<div><br></div><div>With BofA, I'm nearly certain it's them, or an issue with one of their partners (since the domain that fails isn't BofA, but something else):</div><div><br></div><div>(with dnssec turned off):</div>
<div><br></div><div><div>;; QUESTION SECTION:</div><div>;<a href="http://sso-fi.bankofamerica.com">sso-fi.bankofamerica.com</a>.<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>A</div>
<div><br></div><div>;; ANSWER SECTION:</div><div><a href="http://sso-fi.bankofamerica.com">sso-fi.bankofamerica.com</a>. 3599<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>CNAME<span class="" style="white-space:pre"> </span><a href="http://saml-bac.onefiserv.com">saml-bac.onefiserv.com</a>.</div>
<div><a href="http://saml-bac.onefiserv.com">saml-bac.onefiserv.com</a>.<span class="" style="white-space:pre"> </span>299<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>CNAME<span class="" style="white-space:pre"> </span><a href="http://saml-bac.gslb.onefiserv.com">saml-bac.gslb.onefiserv.com</a>.</div>
<div><a href="http://saml-bac.gslb.onefiserv.com">saml-bac.gslb.onefiserv.com</a>. 119 IN<span class="" style="white-space:pre"> </span>A<span class="" style="white-space:pre"> </span>208.235.248.157</div></div><div><br></div>
<div>And it's the <a href="http://saml-bac.gslb.onefiserv.com">saml-bac.gslb.onefiserv.com</a> host that's failing (see here for debug info):</div><div><br></div><div><a href="http://dnssec-debugger.verisignlabs.com/sso-fi.bankofamerica.com">http://dnssec-debugger.verisignlabs.com/sso-fi.bankofamerica.com</a><br>
</div><div><br></div><div>-Aaron</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Apr 26, 2014 at 6:00 PM, <span dir="ltr"><<a href="mailto:dpreed@reed.com" target="_blank">dpreed@reed.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><font face="arial"><p style="margin:0;padding:0">Is this just a dnsmasq issue or is the DNSSEC mechanism broken at these sites? If it is the latter, I can get attention from executives at some of these companies (Heartbleed has sensitized all kinds of companies to the need to strengthen security infrastructure).</p>
<p style="margin:0;padding:0"> </p>
<p style="margin:0;padding:0">If the former, the change process is going to be more tricky, because dnsmasq is easily dismissed as too small a proportion of the market to care. (wish it were not so).</p><div><div class="h5">
<p style="margin:0;padding:0"><br><br>On Saturday, April 26, 2014 7:38am, "Aaron Wood" <<a href="mailto:woody77@gmail.com" target="_blank">woody77@gmail.com</a>> said:<br><br></p>
<div>
<div dir="ltr">Just too many sites aren't working correctly with dnsmasq and using Google's DNS servers.
<div>- Bank of America (<a href="http://sso-fi.bankofamerica.com" target="_blank">sso-fi.bankofamerica.com</a>)</div>
<div>- Weather Underground (<a href="http://cdnjs.cloudflare.com" target="_blank">cdnjs.cloudflare.com</a>)</div>
<div>- Akamai (<a href="http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net" target="_blank">e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net</a>)</div>
<div>And I'm not getting any traction with reporting the errors to those sites, so it's frustrating in getting it properly fixed.</div>
<div>While Akamai and cloudflare appear to be issues with their entries in google dns, or with dnsmasq's validation of them being insecure domains, the BofA issue appears to be an outright bad key. And BofA isn't being helpful (just a continual "we use ssl" sort of quasi-automated response).</div>
<div>So I'm disabling it for now, or rather, falling back to using my ISP's dns servers, which don't support DNSSEC at this time. I'll be periodically turning it back on, but too much is broken (mainly due to the cdns) to be able to rely on it at this time.</div>
<div>-Aaron</div>
</div>
</div></div></div></font></blockquote></div><br></div>