Is this just a dnsmasq issue or is the DNSSEC mechanism broken at these sites?
If it is the latter, I can get attention from executives at some of these
companies (Heartbleed has sensitized all kinds of companies to the need to
strengthen security infrastructure).
If the former, the change process is going to be more tricky, because dnsmasq
is easily dismissed as too small a proportion of the market to care. (wish it
were not so).
On Saturday, April 26, 2014 7:38am, "Aaron Wood" <[email protected]> said:
Just too many sites aren't working correctly with dnsmasq and using Google's
DNS servers.
- Bank of America ([http://sso-fi.bankofamerica.com] sso-fi.bankofamerica.com)
- Weather Underground ([http://cdnjs.cloudflare.com] cdnjs.cloudflare.com)
- Akamai ([http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net]
e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net)
And I'm not getting any traction with reporting the errors to those sites, so
it's frustrating in getting it properly fixed.
While Akamai and cloudflare appear to be issues with their entries in google
dns, or with dnsmasq's validation of them being insecure domains, the BofA
issue appears to be an outright bad key. And BofA isn't being helpful (just a
continual "we use ssl" sort of quasi-automated response).
So I'm disabling it for now, or rather, falling back to using my ISP's dns
servers, which don't support DNSSEC at this time. I'll be periodically turning
it back on, but too much is broken (mainly due to the cdns) to be able to rely
on it at this time.
-Aaron
_______________________________________________
Cerowrt-devel mailing list
[email protected]
https://lists.bufferbloat.net/listinfo/cerowrt-devel
