On 25/04/14 19:01, Jim Gettys wrote: > More specifically, after boot, most of the time test-ipv6.com reports lots > of problems. > > Then I turned off both dnssec and dnssec-check-unsigned, and restarted > dnsmasq; clean bill of health from test-ipv6.com. > > Then I turned on dnssec only, leaving dnssec-check-unsigned, and got a > clean bill of health. > > Then I turned on both at the same time, and things are working. > > So we seem to have a boot time race of some sort. > - Jim > >
test-ipv6.com is unsigned, so the important thing which is likely failing is the query for the DS record of test-ipv6.com, which should return NSEC records providing it doesn't exist, signed by .com Simon. > > On Fri, Apr 25, 2014 at 1:39 PM, Dave Taht <dave.t...@gmail.com> wrote: > >> jg tells me the test-ipv6.com site fails with dnssec and enabled on >> native ipv6. >> >> disabling dnssec works. >> >> anyone can confirm? get a log/packet capture? >> >> >> -- >> Dave Täht >> _______________________________________________ >> Cerowrt-devel mailing list >> cerowrt-de...@lists.bufferbloat.net >> https://lists.bufferbloat.net/listinfo/cerowrt-devel >> > > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss