Hi Simon, > > Well, that's the smoking gun. Dnsmasq is doing the right thing, and your > > upstream server at 212.202.215.1 is broken. I realise that doesn't solve > > the problem, but at least you know where to work now :) > > > > > > (the reason dnsmasq is returning SERVFAIL is that there's a > > chain-of-trust from the root that says paypal.com is signed, If the > > answer to the paypal.com query isn't signed, it may be a false answer, > > so it can't be trusted.) > > Of course this is the right thing to do! > > I will contact the upstream provider and ask them to fix this! > > Interestingly, two of their three IPv4 DNS servers have the problem. The 3rd > one and all three IPv6 DNS servers are working fine. This explains why it > sometimes worked. > > Maybe a good idea is: If a DNSSEC query fails and DNSMASQ knows more > servers, retry on others, too?
What do you think about this proposal? Uwe _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
