On 04/25/2014 09:49 PM, Simon Kelley wrote: > On 25/04/14 19:01, Jim Gettys wrote: >> More specifically, after boot, most of the time test-ipv6.com reports lots >> of problems. >> >> Then I turned off both dnssec and dnssec-check-unsigned, and restarted >> dnsmasq; clean bill of health from test-ipv6.com. >> >> Then I turned on dnssec only, leaving dnssec-check-unsigned, and got a >> clean bill of health. >> >> Then I turned on both at the same time, and things are working. >> >> So we seem to have a boot time race of some sort. >> - Jim >> >> > > > test-ipv6.com is unsigned, so the important thing which is likely > failing is the query for the DS record of test-ipv6.com, which should > return NSEC records providing it doesn't exist, signed by .com
According to http://dnssec-debugger.verisignlabs.com/test-ipv6.com test-ipv6.com No DS records found for test-ipv6.com in the com zone Query to ns1.test-ipv6.com/216.218.228.118 for test-ipv6.com/DNSKEY timed out or failed Query to ns2.test-ipv6.com/209.128.193.197 for test-ipv6.com/DNSKEY timed out or failed Failed to get DNSKEY RR set for zone test-ipv6.com No response from test-ipv6.com nameservers Compare this to a domain that works with check-unsigned on: openwrt.org No DS records found for openwrt.org in the org zone No DNSKEY records found openwrt.org A RR has value 78.24.191.177 No RRSIGs found Is the timeout/failed DNSKEY reply for test-ipv6.com the problem? with dnssec-check-unsigned turned on (and no IPv6, just IPv4) I get this: dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12 dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1 dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12 dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1 dnsmasq: query[A] test-ipv6.com from 172.30.42.12 dnsmasq: forwarded test-ipv6.com to 213.154.124.1 dnsmasq: dnssec-query[DS] test-ipv6.com to 213.154.124.1 dnsmasq: dnssec-query[DNSKEY] com to 213.154.124.1 dnsmasq: dnssec-query[DS] com to 213.154.124.1 dnsmasq: dnssec-query[DNSKEY] . to 213.154.124.1 dnsmasq: reply . is DNSKEY keytag 40926 dnsmasq: reply . is DNSKEY keytag 19036 dnsmasq: reply com is DS keytag 30909 dnsmasq: reply com is DNSKEY keytag 30909 dnsmasq: reply com is DNSKEY keytag 56657 dnsmasq: validation result is INSECURE dnsmasq: reply test-ipv6.com is 216.218.228.119 dnsmasq: query[A] ipv4.test-ipv6.com.home.lan from 172.30.42.12 dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN dnsmasq: query[AAAA] ipv4.test-ipv6.com.home.lan from 172.30.42.12 dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12 dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 213.154.124.1 dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12 dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 dnsmasq: query[A] ipv6.test-ipv6.com from 172.30.42.12 dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1 dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 213.154.124.1 dnsmasq: query[AAAA] ipv6.test-ipv6.com from 172.30.42.12 dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1 dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 213.154.124.1 dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 213.154.124.1 dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12 dnsmasq: dnssec retry to 213.154.124.1 dnsmasq: reply ipv4.test-ipv6.com is BOGUS DS dnsmasq: validation result is BOGUS dnsmasq: reply ipv4.test-ipv6.com is 216.218.228.119 dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12 dnsmasq: dnssec retry to 213.154.124.1 dnsmasq: query[A] ipv6.test-ipv6.com from 172.30.42.12 dnsmasq: dnssec retry to 213.154.124.1 dnsmasq: query[AAAA] ipv6.test-ipv6.com from 172.30.42.12 dnsmasq: dnssec retry to 213.154.124.1 dnsmasq: query[A] ipv4.test-ipv6.com.home.lan from 172.30.42.12 dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN dnsmasq: query[AAAA] ipv4.test-ipv6.com.home.lan from 172.30.42.12 dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 dnsmasq: query[A] ipv6.test-ipv6.com.home.lan from 172.30.42.12 dnsmasq: config ipv6.test-ipv6.com.home.lan is NXDOMAIN dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1 dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1 dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1 dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1 dnsmasq: query[AAAA] ipv6.test-ipv6.com.home.lan from 172.30.42.12 dnsmasq: config ipv6.test-ipv6.com.home.lan is NXDOMAIN dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12 dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1 dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12 dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1 dnsmasq: query[A] ipv6.test-ipv6.com from 172.30.42.12 dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1 dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 193.231.252.1 dnsmasq: query[AAAA] ipv6.test-ipv6.com from 172.30.42.12 dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1 dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 193.231.252.1 dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12 dnsmasq: dnssec retry to 193.231.252.1 dnsmasq: reply ipv4.test-ipv6.com is BOGUS DS dnsmasq: validation result is BOGUS dnsmasq: reply ipv4.test-ipv6.com is 216.218.228.119 dnsmasq: reply ipv4.test-ipv6.com is BOGUS DS dnsmasq: validation result is BOGUS dnsmasq: reply ipv4.test-ipv6.com is NODATA-IPv6 _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
