On 04/25/2014 10:43 PM, Török Edwin wrote: > On 04/25/2014 09:49 PM, Simon Kelley wrote: >> On 25/04/14 19:01, Jim Gettys wrote: >>> More specifically, after boot, most of the time test-ipv6.com reports lots >>> of problems. >>> >>> Then I turned off both dnssec and dnssec-check-unsigned, and restarted >>> dnsmasq; clean bill of health from test-ipv6.com. >>> >>> Then I turned on dnssec only, leaving dnssec-check-unsigned, and got a >>> clean bill of health. >>> >>> Then I turned on both at the same time, and things are working. >>> >>> So we seem to have a boot time race of some sort. >>> - Jim >>> >>> >> >> >> test-ipv6.com is unsigned, so the important thing which is likely >> failing is the query for the DS record of test-ipv6.com, which should >> return NSEC records providing it doesn't exist, signed by .com
Also retrieving those signatures seems to work (from the LAN): $ dig +dnssec -t DS test-ipv6.com ; <<>> DiG 9.9.5-3-Debian <<>> +dnssec -t DS test-ipv6.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47250 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;test-ipv6.com. IN DS ;; AUTHORITY SECTION: com. 874 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1398455240 1800 900 604800 86400 com. 874 IN RRSIG SOA 8 1 900 20140502194720 20140425183720 56657 com. Em3k/33z2feLqtirerPNVE4HwF+ZstYVtR+J7rowCn/++FnDtRv7OBZp rbtNBI90BQj23QjzEkrwaBmVfcFOQSNhdAIHFxPSqOPCWbxdwQxf18yi 3ifhorL9mUX7ir2AqLb57LX+sPaFYOlAPQSIie4+nELiXZfH4mQ2cEXr eLY= CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 874 IN RRSIG NSEC3 8 2 86400 20140501044827 20140424033827 56657 com. JUeicIqLHJIYo10Z0M2LbKefhiW3g2T45jv0l0wxZC/8fdKLCBqIpk2k cjy1CSs1pzpR58BZM3E7QfVMZO61ncCOnK1Zarry6Z0ZYMm54sL625dl MMfYMhMpLVuzbBaK8TJmX3jvQWR8bxkoEXYUy3bP7+x88lHPK6wYkJlB VSA= CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 874 IN NSEC3 1 1 0 - CK0QFMDQRCSRU0651QLVA1JQB21IF7UR NS SOA RRSIG DNSKEY NSEC3PARAM ERPPHPFQOHA3Q5F237FVRROKA4N73V2M.com. 874 IN RRSIG NSEC3 8 2 86400 20140501112409 20140424101409 56657 com. Zbz49pAXUE4iYhGmN3ywbWpWECc4fdBkT2HBwApFLr4UGDG67YbjtxhI D4ihlqTCKZES4/zFp4DqdA45/ha6m6nKUfo4/hE2y/ljhGbx08GqY3Ba cBWvBrfnmS1EGU8Yh1VG8tQ5CYK8qO6isUIzyGaV4Wpn4SQmTEAmaqfn FHk= ERPPHPFQOHA3Q5F237FVRROKA4N73V2M.com. 874 IN NSEC3 1 1 0 - ERPT5A7MVN31GIUL5DMRAU0K8N2IGLTI NS DS RRSIG ;; Query time: 29 msec ;; SERVER: 172.30.42.1#53(172.30.42.1) ;; WHEN: Fri Apr 25 22:48:01 EEST 2014 ;; MSG SIZE rcvd: 763 > > According to http://dnssec-debugger.verisignlabs.com/test-ipv6.com > test-ipv6.com > No DS records found for test-ipv6.com in the com zone > Query to ns1.test-ipv6.com/216.218.228.118 for test-ipv6.com/DNSKEY > timed out or failed > Query to ns2.test-ipv6.com/209.128.193.197 for test-ipv6.com/DNSKEY > timed out or failed > Failed to get DNSKEY RR set for zone test-ipv6.com > No response from test-ipv6.com nameservers > > Compare this to a domain that works with check-unsigned on: > openwrt.org > No DS records found for openwrt.org in the org zone > No DNSKEY records found > openwrt.org A RR has value 78.24.191.177 > No RRSIGs found > > Is the timeout/failed DNSKEY reply for test-ipv6.com the problem? > > with dnssec-check-unsigned turned on (and no IPv6, just IPv4) I get this: > dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 > dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: query[A] test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded test-ipv6.com to 213.154.124.1 > dnsmasq: dnssec-query[DS] test-ipv6.com to 213.154.124.1 > dnsmasq: dnssec-query[DNSKEY] com to 213.154.124.1 > dnsmasq: dnssec-query[DS] com to 213.154.124.1 > dnsmasq: dnssec-query[DNSKEY] . to 213.154.124.1 > dnsmasq: reply . is DNSKEY keytag 40926 > dnsmasq: reply . is DNSKEY keytag 19036 > dnsmasq: reply com is DS keytag 30909 > dnsmasq: reply com is DNSKEY keytag 30909 > dnsmasq: reply com is DNSKEY keytag 56657 > dnsmasq: validation result is INSECURE > dnsmasq: reply test-ipv6.com is 216.218.228.119 > dnsmasq: query[A] ipv4.test-ipv6.com.home.lan from 172.30.42.12 > dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN > dnsmasq: query[AAAA] ipv4.test-ipv6.com.home.lan from 172.30.42.12 > dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN > dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 > dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 213.154.124.1 > dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 > dnsmasq: query[A] ipv6.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1 > dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 213.154.124.1 > dnsmasq: query[AAAA] ipv6.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1 > dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 213.154.124.1 > dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 213.154.124.1 > dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12 > dnsmasq: dnssec retry to 213.154.124.1 > dnsmasq: reply ipv4.test-ipv6.com is BOGUS DS > dnsmasq: validation result is BOGUS > dnsmasq: reply ipv4.test-ipv6.com is 216.218.228.119 > dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 > dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12 > dnsmasq: dnssec retry to 213.154.124.1 > dnsmasq: query[A] ipv6.test-ipv6.com from 172.30.42.12 > dnsmasq: dnssec retry to 213.154.124.1 > dnsmasq: query[AAAA] ipv6.test-ipv6.com from 172.30.42.12 > dnsmasq: dnssec retry to 213.154.124.1 > dnsmasq: query[A] ipv4.test-ipv6.com.home.lan from 172.30.42.12 > dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN > dnsmasq: query[AAAA] ipv4.test-ipv6.com.home.lan from 172.30.42.12 > dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN > dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 > dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 > dnsmasq: query[A] ipv6.test-ipv6.com.home.lan from 172.30.42.12 > dnsmasq: config ipv6.test-ipv6.com.home.lan is NXDOMAIN > dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1 > dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1 > dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1 > dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1 > dnsmasq: query[AAAA] ipv6.test-ipv6.com.home.lan from 172.30.42.12 > dnsmasq: config ipv6.test-ipv6.com.home.lan is NXDOMAIN > dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1 > dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1 > dnsmasq: query[A] ipv6.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1 > dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 193.231.252.1 > dnsmasq: query[AAAA] ipv6.test-ipv6.com from 172.30.42.12 > dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1 > dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 193.231.252.1 > dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12 > dnsmasq: dnssec retry to 193.231.252.1 > dnsmasq: reply ipv4.test-ipv6.com is BOGUS DS > dnsmasq: validation result is BOGUS > dnsmasq: reply ipv4.test-ipv6.com is 216.218.228.119 > dnsmasq: reply ipv4.test-ipv6.com is BOGUS DS > dnsmasq: validation result is BOGUS > dnsmasq: reply ipv4.test-ipv6.com is NODATA-IPv6 > _______________________________________________ > Cerowrt-devel mailing list > [email protected] > https://lists.bufferbloat.net/listinfo/cerowrt-devel > _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
