None of the posted examples which I've looked at have been dnssec signed. There must be a bug in how dnsmasq tries to prove the non-existance of the signatures.
Unbound, running on a box inside of a openwrt nat, has no problems with any of them. To confirm whether the bug is in dnsmasq or at goog, someone should run their own verifying resolver (such as unbound) on a public box, open it just enough for their cerowrt to use it, configure it to log verbosely, and have their cero use it. If that also leads to fails, then dnsmasq has the bug. Otherwise, goog does something "interesting". How much ram is available in cero for the resolver? Unbound on glibc/ amd64 only needs a bit less than 78M virt, 18M rss (with a well-stocked cache). The other verifying resolvers probably need similar resources. Even back when I used a dialup, unbound was perfectly usable inside¹. The extra traffic from verifying from the roots down shouldn't hurt. 1] in its early days it could DoS, but that issue was fixed. -JimC -- James Cloos <[email protected]> OpenPGP: 0x997A9F17ED7DAEA6 _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
