On Sat, May 14, 2016 at 08:55:58PM +0200, Uwe Schindler wrote: > > > Well, that's the smoking gun. Dnsmasq is doing the right thing, > > > and your upstream server at 212.202.215.1 is broken. I realise > > > that doesn't solve the problem, but at least you know where to > > > work now :) > > > > > > (the reason dnsmasq is returning SERVFAIL is that there's a > > > chain-of-trust from the root that says paypal.com is signed, > > > If the answer to the paypal.com query isn't signed, it may be > > > a false answer, so it can't be trusted.) > > > > Of course this is the right thing to do! > > > > I will contact the upstream provider and ask them to fix this! > > > > Interestingly, two of their three IPv4 DNS servers have the > > problem. The 3rd one and all three IPv6 DNS servers are working > > fine. This explains why it sometimes worked. > > > > Maybe a good idea is: If a DNSSEC query fails and DNSMASQ knows > > more servers, retry on others, too? > > What do you think about this proposal?
Hmm. I think the story illustrates the importance of controlling your own upstream resolver, or at least of using one you know you can trust. I think there are two main reasons why signatures are broken: 1. Domain manager had an error in signing and/or keys (usually a software problem with signing) 2. DNS hijacking (not necessarily of malicious intent) Sometimes people get started validating DNSSEC and lose their will to be doing so after a SERVFAIL or two. Those folks are better off disabling validation. But you're not necessarily among them, it seems; you're just getting occasionally broken replies from the upstream server. The problem I have with your idea is that you don't really have an automated means to determine the problem upstream. You simply cannot rely on a broken upstream server if you're going to validate. So you fall back on 8.8.8.8 for any DNSSEC failure ... but wouldn't you be better off just using 8.8.8.8 and dumping the broken one? I've said before what I do ... I have *both* dnsmasq and named running; dnsmasq on port 53 and named on 127.0.0.1:1035. The named is doing recursion only. Yes, I'm hard core. :) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss