On 23/04/14 18:29, Dave Taht wrote: > On Wed, Apr 23, 2014 at 10:18 AM, Aaron Wood <[email protected]> wrote: >> On Wed, Apr 23, 2014 at 6:44 PM, Robert Bradley <[email protected]> >> wrote: >>> >>> >>>> ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 a >>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net >>> <snip rest of NOERROR response> >>>> >>>> But a query for DS on the same domain, which is what dnsmasq does next, >>>> returns SERVFAIL, _even_with_ checking disabled. >>>> >>>> ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 ds >>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net >>> <snip SERVFAIL response> >>> >>> This looks identical to the *.cloudflare.com issue I had last week. In >>> both cases, using Level 3's 4.2.2.2 instead of Google DNS works fine, >>> and 8.8.8.8 returns SERVFAIL for DS lookups. This looks like a bug in >>> Google's DNS servers as opposed to dnsmasq... >> >> >> A question about dnsmasq and multiple servers. If I listed both 4.2.2.2 and >> 8.8.8.8 in my dnsmasq configuration, how would dnsmasq behave in this case? >> would it query both for the DS? or just "stick" with the first server to >> start responding with an A-record? > > By default dnsmasq probes for a "best" upstream dns server periodically > and uses that.
subsequent queries needed to do DNSSEC validation of an initial answer are always sent to the same server which provided that answer. Simon. > >> >> (I confess that I don't know the details of DNS very well) >> >> -Aaron >> >> _______________________________________________ >> Cerowrt-devel mailing list >> [email protected] >> https://lists.bufferbloat.net/listinfo/cerowrt-devel >> > > > _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
