On 12/04/2014 13:02, Toke Høiland-Jørgensen wrote: > Robert Bradley <[email protected]> writes: > >> That seems to suggest that it's the DS queries that are failing and >> that this is probably not a dnsmasq bug. Trying Verisign's DNSSEC >> debugger (http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com) >> seems to suggest that their nameservers refuse requests for DNSKEY >> records. > I seem to have no problems resolving either cloudfare.com or > cloudfare.net with dnssec validation enabled. But then I might have a > different view of their DNS infrastructure; I'm in Sweden... > > You can try running dig with +dnssec +trace to see where in the chain > things go wrong... > > -Toke
Using +dnssec +trace returns no errors, but that ends up bypassing both Google's DNS servers and dnsmasq in favour of going directly to the DNS root. It looks like there is some issue with 8.8.8.8 and 8.8.4.4 disliking that particular domain (at least from a UK point of view), but I am unable to see what it is. -- Robert Bradley
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
