On Fri, Apr 25, 2014 at 11:49 AM, Simon Kelley <[email protected]> wrote: > On 25/04/14 19:01, Jim Gettys wrote: >> More specifically, after boot, most of the time test-ipv6.com reports lots >> of problems. >> >> Then I turned off both dnssec and dnssec-check-unsigned, and restarted >> dnsmasq; clean bill of health from test-ipv6.com. >> >> Then I turned on dnssec only, leaving dnssec-check-unsigned, and got a >> clean bill of health. >> >> Then I turned on both at the same time, and things are working. >> >> So we seem to have a boot time race of some sort. >> - Jim >> >> > > > test-ipv6.com is unsigned, so the important thing which is likely > failing is the query for the DS record of test-ipv6.com, which should > return NSEC records providing it doesn't exist, signed by .com
As one example of a registrar not with the program, name.com (registrar for bufferbloat.net) does not allow for ds records to come from it, so that domain can't be fully signed. So it sounds to me as if negative proofs are not possible with registrars that lack this support? > > Simon. > > > >> >> On Fri, Apr 25, 2014 at 1:39 PM, Dave Taht <[email protected]> wrote: >> >>> jg tells me the test-ipv6.com site fails with dnssec and enabled on >>> native ipv6. >>> >>> disabling dnssec works. >>> >>> anyone can confirm? get a log/packet capture? >>> >>> >>> -- >>> Dave Täht >>> _______________________________________________ >>> Cerowrt-devel mailing list >>> [email protected] >>> https://lists.bufferbloat.net/listinfo/cerowrt-devel >>> >> >> >> >> _______________________________________________ >> Dnsmasq-discuss mailing list >> [email protected] >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> > -- Dave Täht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
