[Dnsmasq-discuss] dns flag day 2020

[Dave Taht]

Does anyone have an opinion on:

https://github.com/dns-violations/dnsflagday/issues/125

(posteth not here, but on that thread)

sort of spawned by that, though, are three questions, which
perhaps we can answer here...

1) How much is the dnssec stuff in dnsmasq enabled?

For example, although it's available in openwrt, I think it is disabled
by default. It was enabled by default in cerowrt (my old project), but
had enough bugs revealed after the final release for most to disable it.

That said, I do run it where I can, in openwrt, but I figure it's kind
of lonely.

2) How often does it succeed over udp?

3) How often does it have to fallback to tcp?


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] localise-queries and IPv6, rtod

[Dave Taht]

Roy Marples  writes:

> On 23/08/2019 06:31, For What It Worth wrote:
>> Routing Tables of Death - rtod - a kernel, routing protocol, and routing
>> daemon stress testing tool
>>
>>> See the README for how it works.
>>
>> https://github.com/dtaht/rtod/blob/master/README.md starts with
>>
>> rtod: Routing Tables of Death
>>
>> rtod allows for the rapid injection and removal of large numbers of
>> distinct routes per host, as a means to test the capabilities of
>> kernels, routing protocols, and routing daemons.
>>
>> Do NOT run this on a production network. DO read this documentation.
>>
>> The rtod script was developed to stress test kernel routing features,
>> daemons, and protocols as a means to measure their behavior and make
>> them better.
>
> Someone tested dhcpcd with a similar tool - 
> http://docs.frrouting.org/en/latest/sharp.html.
>
> The end result was moving the routing table from a linked list to a RB Tree.
> https://roy.marples.name/blog/red-black-tree
> Improved dhcpcd's performance from minutes to seconds with over a
> million routes!

Oh cool. I never got around to turning rtod into C, as doing it in shell
was destructive enough. I ended up going with a hash though (in babel) -
uthash was very flexible and usable, though overlarge (it not only
hashes but is a bidir sorted linked list), then I started fiddling with
a cut-down version and then got stuck on needing a timerwheel or
something like that for notifications and then... moved on to something
else.

rtod did damage to dnsmasq 'because it listens to all events, also
odhcpd, frr, name it - it was a good stress tool, and writing the
README was cathartic. I really did trash the flash on one box,
and contributed to global warming, by writing it.

smarter algos are always better.

> Roy
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] localise-queries and IPv6

[Dave Taht]

Simon Kelley  writes:

> On 06/08/2019 18:14, Carsten Spieß wrote:
>> Hello Simon,
>> 
 I've added entries for a multi homed machine to the hosts file.
 For IPv4 i get one address localized to the caller,
 for IPv6 i get a list of all addresses.

 The man page notes for localise-queries 'Currently this facility is 
 limited to IPv4.'
 Is there any technical reason for this behaviour or is there just 'a bit 
 work to be done'?
>>  
>>> The technical reason is limited to "it's not obvious that this nasty
>>> hack is useful for IPv6" If it could be demonstrated to be useful,
>>> there's nothing to stop if being implemented for IPV6, as far as I know.
>> 
>> Is a multi homed machine not a usefull scenario in IPv6?

IPv6 multi-homing is more difficult without SADR and without source
specific RA. SADR is pretty common now...

>> This would avoid unnecessary routing (as in IPv4).
>> 
>> Regards, Carsten
>> 
>
> IPv6 seems to use a lot of /128 routes, with transits of the router even
> for machines on the same network. Nevertheless, your point is a good one.

Heh. If you want to try for something about ipv6 inside dnsmasq that
scales, rtod ( https://github.com/dtaht/rtod ) is useful. See the README
for how it works.

bloom filter per interface?

>
> Simon.
>
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [PATCH] Accept /32 and /0 as valid CIDR prefixes for rev-server directive

[Dave Taht]

On Tue, Feb 14, 2017 at 7:17 AM, Simon Kelley  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> That's an improvement, but I tend to agree that /0 doesn't make much
> sense. If we're going to patch this, it seems to make more sense to
> reject anything other that /32 /24 /16 or /8.
>
> The  ideal solution would be to accept any prefix length and generate
> the (up to) 256 --server equivalents  that it corresponds to. If
> you're going to have syntactic sugar, it may as well work for you.

+1 on accepting any size netmask universally. I am perpetually getting
/48s... or /56s... or /60s or /61s, /62s or /63 and prefix splitting
in shell to generate the appropriate things for rev-server, etc, is a
PITA. I'm sitting here trying to remember which one of these two broke
with different sized netmasks

synth-domain=ula.taht.net,fd32:7d58:8d63::/64,ula-
rev-server=fd32:7d58:8d63::/48,fd32:7d58:8d63::1

And I did look at the code for both and was too dumb to figure out how
to apply the technique universally.


>
> Cheers,
>
> Simon.
>
>
>
> On 13/02/17 23:31, olivier.ga...@sigexec.com wrote:
>> From: Olivier Gayot 
>>
>> [ excerpt from the man page ] The rev-server directive provides a
>> syntactic sugar to make specifying address-to-name queries easier.
>> For example --rev-server=1.2.3.0/24,192.168.0.1 is exactly
>> equivalent to --server=/3.2.1.in-addr.arpa/192.168.0.1
>>
>> It is not mentioned in the man page but specifying anything but /8
>> or /24 as the CIDR prefix has the same effect as specifying /16.
>>
>> It is not a big deal for subnets on non-octet boundaries since
>> they cannot be represented using a single in-addr.arpa address.
>> However, it is unconvenient for /32 and /0 prefixes while their
>> analogous server directives behave as expected. E.g. the following
>> server directives work as expected:
>>
>> server=/42.10.168.192.in-addr.arpa/1.2.3.4
>> server=/in-addr.arpa/1.2.3.4
>>
>> but the following do not:
>>
>> rev-server=192.168.10.42/32,1.2.3.4
>> rev-server=192.168.10.42/0,1.2.3.4
>>
>> and, in practice, they behave the same as:
>>
>> server=/168.192.in-addr.arpa/1.2.3.4
>> server=/168.192.in-addr.arpa/1.2.3.4
>>
>> This strange behaviour is fixed by accepting /32 and /0 CIDR
>> prefixes as valid values. Any other value will still be considered
>> the same as /16.
>>
>> Signed-off-by: Olivier Gayot  ---
>> src/option.c | 31 +-- 1 file changed,
>> 21 insertions(+), 10 deletions(-)
>>
>> diff --git a/src/option.c b/src/option.c index 4a5ef5f..eeca3d6
>> 100644 --- a/src/option.c +++ b/src/option.c @@ -850,19 +850,30 @@
>> char *parse_server(char *arg, union mysockaddr *addr, union
>> mysockaddr *source_a static struct server *add_rev4(struct in_addr
>> addr, int msize) { struct server *serv = opt_malloc(sizeof(struct
>> server)); -  in_addr_t  a = ntohl(addr.s_addr) >> 8; +  in_addr_t
>> a = ntohl(addr.s_addr); char *p;
>>
>> memset(serv, 0, sizeof(struct server)); -  p = serv->domain =
>> opt_malloc(25); /* strlen("xxx.yyy.zzz.in-addr.arpa")+1 */ - -  if
>> (msize == 24) -p += sprintf(p, "%d.", a & 0xff); -  a = a >>
>> 8; -  if (msize != 8) -p += sprintf(p, "%d.", a & 0xff); -  a =
>> a >> 8; -  p += sprintf(p, "%d.in-addr.arpa", a & 0xff); +  p =
>> serv->domain = opt_malloc(29); /*
>> strlen("xxx.yyy.zzz.ttt.in-addr.arpa")+1 */ + +  switch (msize) +
>> { +case 32: +  p += sprintf(p, "%d.", a & 0xff); +  /*
>> fall through */ +case 24: +  p += sprintf(p, "%d.", (a >>
>> 8) & 0xff); +  /* fall through */ +default: +case 16: +
>> p += sprintf(p, "%d.", (a >> 16) & 0xff); +  /* fall through
>> */ +case 8: +  p += sprintf(p, "%d.in-addr.arpa", (a >> 24)
>> & 0xff); +  break; +case 0: +  p += sprintf(p,
>> "in-addr.arpa"); +}
>>
>> serv->flags = SERV_HAS_DOMAIN; serv->next = daemon->servers;
>>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQIcBAEBCAAGBQJYox+hAAoJEBXN2mrhkTWiBSUQAJQxq6yD3Tcw/39On0QcLcfy
> aZTerALrzgrwlpyH4yVWeztrA3pFK1uVLIhnQP161zR+NJRI5Bo0J7tAOElETm3k
> QQ0HEu16skPHdmzlmbR1MMLoVKn4myh6hDm5iFSAf+jsCpItAzYo5Cy9/oAz3PNU
> Hp1SKxYNwrcSTw5FQrLpNuhZxbqvkA5KiU3URcnzv3mW2YbMzcjrULL7hF7xfN0t
> 2iwI8shObm/3FMDux7jX1wuRPQALWokaXFhAyOTDUVBONavA4W/PxS+8VvV4noi4
> dFh6FMhJYPggUh7v02PTOoPtSuvaLNGt1vgWeHt1sqTXEo6rVsft085fKwH1uONw
> SGWrGhnFaVDewHeEoB46K6qg7LYSoLa1cgv8li8QJ9ZTSiFC7ZqIWsXBQ5oqlGzr
> 0iR6jo1yqISvwyek8nogsgNWI4zx/mmC1AXhR/OjE8Y/3MA87rhpY+t/U2ZJug5e
> f611DvKCl4iQuL/EyWY7hCIK7XCHi4ACx7sosN21zgL2/ToLshaF7i3rcYC6F/Bx
> 5GGgv6x6WiXWRMk82YiqcEphnOdphsWen4ZMHTdlBIzZ1EXpD5XwhDHTzzmD3SlT
> oNjwPR1Gmkt1yXxLSvvr6mp7XFRDQOJMWDHvmfroH4p2hcxyB/2dSbhLjrfri0nL
> WsjDDAhdIM1aHokLmLqi
> =mtD9
> -END PGP SIGNATURE-
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> 

Re: [Dnsmasq-discuss] IDN (internationalized domain name) support

[Dave Taht]

On Tue, Jan 31, 2017 at 8:57 AM, Simon Kelley <si...@thekelleys.org.uk> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> It's included in the Debian, (and therefore Ubuntu) packaging.
>
> Of course the only difference it makes is to the interpretation of
> domain names in /etc/hosts and friends and config files. - IDNs get
> cached and forwarded by dnsmasq fine without the support being included.

Good to know. Perhaps now I can have my umlaut in my last name back on
some domain name somewhere.

> OK, it also affects logging, I think. göögle.com  appears in the logs
> göögle.com and not as xn--ggle-5qaa.com

That jumps to a very interesting site, btw...

And I guess a couple loggers and logger utilities need to be checked
if they are 8 bit clean.

>
> Cheers,
>
> Simon.
>
>
>
> On 28/01/17 21:09, Dave Taht wrote:
>> I am curious as to the deployment status of IDN in the field?
>>
>> and to how often others are building it into their default distro
>> of dnsmasq, and any issues that may exist (other than improving the
>> ease of domain name phishing)
>>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQIcBAEBCAAGBQJYkMHnAAoJEBXN2mrhkTWi2vUP/iX/Z/tnB/Skw6yGWxlIu28W
> bcajXnUjCfph8xixJXGKDJNWzLSxPgPpEGhJfzZQvtDOrC7rr4MAKxBSuhpfciVV
> PWQm9t6JAwwIfaW9u4gLw9dTifiHJovbgNsR1KMwcqNARy3S6WSTjERpmm9h2Tp2
> pI4n1Bg+IAEG/f5b9QxjPTFlbGrZbiVpsp+hVUftUGykQjugtP6lo4UpeLXjPrjJ
> a2ZVi4Qpz/G9ujRkStq9PcLy4NOjc8ZHc85QBmUowCiGv5FJYJFUKRnEU2ChmFnY
> tztFXgDjXHMaGV/Am44w+HpCTWHDyENEd2iKFhm+hSfnD89P5N02mRUxstQJdKrE
> yEBv22/U2mAW6o4XJWWVIB31h4gMNAFQPiAlSlLVquFx40kcWRswoqZKrCCIvYsy
> tJm8FjawA/Yt9kIdM71ymJ6NkwYPr0rfgZE95p/5L5q+nidOVVbDN/eGNyY4yylM
> tcsKo22D+GyRFLmc/NqnuCbq9PaXbHY88s5lJQf1mSKdYKckMYmPgVXnq45M2AaO
> auUpTEdhsXsfzOULzOQmXwv2dSfo2IHfRZRFJeSpMf7JwAMjgxiK3tEidPL75LUt
> vM6xkVNBCD8LlFj5BK94EhSw+3QDCZmQUBU4FImF8aOCxsdq+Vk+/D4nGJW1SgGC
> 9aMz4z1pFq3IM44GP+fN
> =X8Ni
> -END PGP SIGNATURE-
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
Dave Täht
Let's go make home routers and wifi faster! With better software!
http://blog.cerowrt.org

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] IDN (internationalized domain name) support

[Dave Taht]

I am curious as to the deployment status of IDN in the field?

and to how often others are building it into their default distro of
dnsmasq, and any issues that may exist (other than improving the ease
of domain name phishing)

-- 
Dave Täht
Let's go make home routers and wifi faster! With better software!
http://blog.cerowrt.org

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Bug forward upstream SERVFAIL

[Dave Taht]

From a brief conversation with the bind9 maintainer:

D: if bind gets a servfail, and has two forwarders, will it try the
other forwarder?
E: Yes.

D: Even in the case of a dnssec query?
E:

Bind9 retries an authoritative answer because it might have been
spoofed or one of the servers might be out of date or misconfigured.
It uses the function fctx_nextaddress() to get the next address to try
when a query fails. fctx_nextaddress() searches through both
forwarders and auth servers, depending on what kind of query it is.

D: So I believe it is correct for dnsmasq to try all upstreams on a
servfail response, which restores the prior dnsmasq behavior, and is
more robust.
E: Yes.

D: This seems to look like the right thing:

https://github.com/MartinWetterwald/dnsmasq/pull/1/files

-- 
Dave Täht
Let's go make home routers and wifi faster! With better software!
http://blog.cerowrt.org

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Got bad packet: bad compression pointer

[Dave Taht]

The offputting part of your outline of what to check for was "some
hairy pointer code". :) I'm in the middle of some crash bugs
elsewhere, and I didn't realize how fast I could get you data without
thinking about the "hairy" parts.


dnssec and dnssec-check-unsigned are enabled, and I'm using cachesize
 (what's the limit nowadays?)

I put packet captures of the external interface on the router (comcast
upstream) and captures taken at the client, a log, and conf file,
here:

http://www.taht.net/~d/dnssecbug/

Basically hammering on nslookup for the two internal and internal
captures there.

Hammering on "dig" later, I was unable to trigger it on A, or 
requests. Was able to easily trigger it on a MX request.

flent-freemont does not exist, btw. Flent-fremont, does. It will go
boom on both.



root@dancer:~/dnssecbug# dig flent-freemont.bufferbloat.net MX
;; Got bad packet: bad compression pointer
123 bytes
a5 c9 81 a0 00 01 00 00 00 01 00 01 0e 66 6c 65  .fle
6e 74 2d 66 72 65 65 6d 6f 6e 74 0b 62 75 66 66  nt-freemont.buff
65 72 62 6c 6f 61 74 03 6e 65 74 00 00 0f 00 01  erbloat.net.
c0 1b 00 06 00 01 00 00 0e 10 00 34 06 61 72 6e  ...4.arn
6f 6c 64 02 6e 73 0a 63 6c 6f 75 64 66 6c 61 72  old.ns.cloudflar
65 03 63 6f 6d 00 03 64 6e 73 c0 eb 78 9d d7 47  e.com..dns..x..G
00 00 27 10 00 00 09 60 00 09 3a 80 00 00 0e 10  ..'`..:.
00 00 29 02 00 00 00 00 00 00 00 ..)
root@dancer:~/dnssecbug# dig flent-freemont.bufferbloat.net MX

; <<>> DiG 9.10.3-P4-Ubuntu <<>> flent-freemont.bufferbloat.net MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34631
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;flent-freemont.bufferbloat.net.INMX

;; AUTHORITY SECTION:
bufferbloat.net.3600INSOAarnold.ns.cloudflare.com.
dns.cloudflare.com. 2023610183 1 2400 604800 3600

;; Query time: 72 msec
;; SERVER: 172.26.16.1#53(172.26.16.1)
;; WHEN: Wed Jan 18 12:42:02 PST 2017
;; MSG SIZE  rcvd: 123



On Wed, Jan 18, 2017 at 12:01 PM, Dave Taht <dave.t...@gmail.com> wrote:
> On Wed, Jan 18, 2017 at 11:48 AM, Simon Kelley <si...@thekelleys.org.uk> 
> wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> I won't have access to a MIPS system 'till the weekend.
>>
>> I assume you're using the git head code?
>
> No. Lede-project head. package claims to be dnsmasq-2.76-6. libc is musl.
>
> Box under test was an archer c7v2. Can go try a few other mips boxes
> like the wndr3800, but I've seen it there too. The arm box (that is
> working) is an linksys-1200ac. (overall it's looking like a fine
> release of lede)
>
>> Did you manage to see a dump of the upstream reply?
>
> Not yet. I'll touch bases with you later in the week.
>
>>
>>
>> Simon.
>>
>>
>>
>> On 18/01/17 07:31, Dave Taht wrote:
>>> so far I can only make it happen on mips. Doesn't happen on arm.
>>> Haven't tried harder yet.
>>>
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v2.0.22 (GNU/Linux)
>>
>> iQIcBAEBCAAGBQJYf8aDAAoJEBXN2mrhkTWiN9UP/2E9D6j/nd3RsubzHgZSvzB/
>> CJPNyk32jnAqZdIa9D3DOH2L9gN5GyBiAtv4iCz5KuzDnB9twBtQWOdzde5sZWWd
>> 4t8tSsvJkr0pRZhhRQKelF2oW0k7Y0UM4mD90ZoabX9ytQG4ceTFkHKlwwPLvvTc
>> Osh9RmCpX1tsJoE/y+lMpEdT+GlhOe4z2Z9FZlTN7ke/uO9nIarekSIvnxgOnyac
>> vrHvgnjyyEHbfr0BNaupdwZz9d/dVABYkFTDUk4dg4tn6MW99AsbD2DaL9alx8U/
>> MsvbFarQe/w8fJkmBJOThWkLMvpO1854XAysc8/m5ldIEwcV4Yge29nYrmDhn9kH
>> Evo7wbKSH4AYGskYTiWnssczu1RhQOX9jCD31gv5CVOeTY4Dt7NR3WFCsAH2RYpR
>> jcstckC5R1fqfKtQt9B0l2SWmmLukRcMbGM1hiJbqGrZcb++gZ2RYl80AD0iQhkD
>> GjLNQAUKwlDwzB7JYXX+Fn0AVvP/G4qrmYBFlcxloddtrCiNqu4icTYIAb1zv0Lo
>> opM+0fFcfg1PPPobTQ7FLJQR/uAO93MWZJ43Ht90YEdk6aaBCf7Ego1fU0G6TjCV
>> iphmOqvhs96GFfhaBMYwFxvHb1tHNDT+Xzlsvkvk+S8SKyhNOg5GJOL2Dz78vlB/
>> fcImILW4vRf4rIkMDZKL
>> =kPYg
>> -END PGP SIGNATURE-
>
>
>
> --
> Dave Täht
> Let's go make home routers and wifi faster! With better software!
> http://blog.cerowrt.org



-- 
Dave Täht
Let's go make home routers and wifi faster! With better software!
http://blog.cerowrt.org

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Got bad packet: bad compression pointer

[Dave Taht]

On Wed, Jan 18, 2017 at 11:48 AM, Simon Kelley <si...@thekelleys.org.uk> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> I won't have access to a MIPS system 'till the weekend.
>
> I assume you're using the git head code?

No. Lede-project head. package claims to be dnsmasq-2.76-6. libc is musl.

Box under test was an archer c7v2. Can go try a few other mips boxes
like the wndr3800, but I've seen it there too. The arm box (that is
working) is an linksys-1200ac. (overall it's looking like a fine
release of lede)

> Did you manage to see a dump of the upstream reply?

Not yet. I'll touch bases with you later in the week.

>
>
> Simon.
>
>
>
> On 18/01/17 07:31, Dave Taht wrote:
>> so far I can only make it happen on mips. Doesn't happen on arm.
>> Haven't tried harder yet.
>>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQIcBAEBCAAGBQJYf8aDAAoJEBXN2mrhkTWiN9UP/2E9D6j/nd3RsubzHgZSvzB/
> CJPNyk32jnAqZdIa9D3DOH2L9gN5GyBiAtv4iCz5KuzDnB9twBtQWOdzde5sZWWd
> 4t8tSsvJkr0pRZhhRQKelF2oW0k7Y0UM4mD90ZoabX9ytQG4ceTFkHKlwwPLvvTc
> Osh9RmCpX1tsJoE/y+lMpEdT+GlhOe4z2Z9FZlTN7ke/uO9nIarekSIvnxgOnyac
> vrHvgnjyyEHbfr0BNaupdwZz9d/dVABYkFTDUk4dg4tn6MW99AsbD2DaL9alx8U/
> MsvbFarQe/w8fJkmBJOThWkLMvpO1854XAysc8/m5ldIEwcV4Yge29nYrmDhn9kH
> Evo7wbKSH4AYGskYTiWnssczu1RhQOX9jCD31gv5CVOeTY4Dt7NR3WFCsAH2RYpR
> jcstckC5R1fqfKtQt9B0l2SWmmLukRcMbGM1hiJbqGrZcb++gZ2RYl80AD0iQhkD
> GjLNQAUKwlDwzB7JYXX+Fn0AVvP/G4qrmYBFlcxloddtrCiNqu4icTYIAb1zv0Lo
> opM+0fFcfg1PPPobTQ7FLJQR/uAO93MWZJ43Ht90YEdk6aaBCf7Ego1fU0G6TjCV
> iphmOqvhs96GFfhaBMYwFxvHb1tHNDT+Xzlsvkvk+S8SKyhNOg5GJOL2Dz78vlB/
> fcImILW4vRf4rIkMDZKL
> =kPYg
> -END PGP SIGNATURE-



-- 
Dave Täht
Let's go make home routers and wifi faster! With better software!
http://blog.cerowrt.org

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Got bad packet: bad compression pointer

[Dave Taht]

so far I can only make it happen on mips. Doesn't happen on arm.
Haven't tried harder yet.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Got bad packet: bad compression pointer

[Dave Taht]

On Mon, Jan 16, 2017 at 1:11 PM, Simon Kelley <si...@thekelleys.org.uk> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Host makes A,  and MX queries and it's the reply to the MX  that's
> failing. This all works fine here (dnsmasq and host both running on
> the same x86_64 host. The reply to the MX query looks like this.
>
>
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19992
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;flent-fremont.bufferbloat.net. IN  MX
>
> ;; AUTHORITY SECTION:
> bufferbloat.net.1798IN  SOA arnold.ns.cloudflare.com.
> dns.cloudflare.com. 2023610183 1 2400 604800 3600
>
> ;; Query time: 50 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Jan 16 20:27:43 GMT 2017
> ;; MSG SIZE  rcvd: 122
>
>
> Comparing the packet dump you have with the correct answer I'm seeing,
> there are a few not-important differences (transaction-id,
> time-to-live and SOA serial), the only other difference is the second
> domain name in the SOA record, dns.cloudflare.com. That's represented
> as the label "dns" and then a compression pointer pointing back to
> previous instance of "cloudflare.com" in arnold.ns.cloudflare.com. The
> correct pointer is c0 45, the pointer in your dump is c0 f0. (the c0
> is flags, the 45 (or f0) is an offset from the start of the packet).
>
> This packet has been through some hairy code in dnsmasq which elides
> DNSSEC records (RRSIGs etc) and has to fix up the pointers thus
> affected. My guess is that that's the problem, somehow, but I'm at a
> loss to say why it works for me and breaks for you.

It's a mips box supplying dns here. Different rules for alignment?

>
> Note that if my hypothesis is correct, you'll only see the effect when
> the answer comes from upstream, and not when the answer comes from the
> dnsmasq cache.
>
> If you want to try and debug this, first check that you can see the
> same error just doing the MX query with a cold cache, then look at
> what's happening in rrfilter() in src/rrfilter.c
>
> The other thing that would be useful is to capture the answer from
> usptream complete with the NSEC and RRSIG records that need to be
> removed. When I do that, the NSEC and RRSIG records come _after_ the
> SOA record, so that the compression pointer in the SOA record doesn't
> need to be touched at all, if the order of the records varied, that
> could expose bugs in this code.
>
> Not an answer, but some good clues..

Don't even know if it's over ipv4 or ipv6 at the moment. will check harder.


Great clues, thx, I'll get on it after I resolv

https://bugs.lede-project.org/index.php?do=details_id=388


>
> Cheers,
>
> Simon.
>
>
>
>
>
>
> On 16/01/17 18:56, Dave Taht wrote:
>> I am testing the dnsmasq-full build on current lede-project head,
>> and enabled dnssec. Then :
>>
>> root@dancer:/# host flent-fremont.bufferbloat.net
>> flent-fremont.bufferbloat.net has address 23.239.20.41
>> flent-fremont.bufferbloat.net has IPv6 address
>> 2600:3c01::f03c:91ff:fe50:48d4 ;; Got bad packet: bad compression
>> pointer 111 bytes 40 41 81 80 00 01 00 00 00 01 00 00 0d 66 6c 65
>> @A...fle 6e 74 2d 66 72 65 6d 6f 6e 74 0b 62 75 66 66 65
>> nt-fremont.buffe 72 62 6c 6f 61 74 03 6e 65 74 00 00 0f 00 01 c0
>> rbloat.net.. 1a 00 06 00 01 00 00 0e 10 00 34 06 61 72 6e 6f
>> ..4.arno 6c 64 02 6e 73 0a 63 6c 6f 75 64 66 6c 61 72 65
>> ld.ns.cloudflare 03 63 6f 6d 00 03 64 6e 73 c0 f0 78 9d d7 47 00
>> .com..dns..x..G. 00 27 10 00 00 09 60 00 09 3a 80 00 00 0e 10
>> .'`..:.
>>
>>
>> Filed the bug here:
>> https://bugs.lede-project.org/index.php?do=details_id=392
>>
>> I see a few other references to this phrase elsewhere on the net
>> but did not find a resolution.
>>
>> In this case I've seen this with osx sierra, and "dancer" is a
>> pretty recent ubuntu box. The dnssec tests on the web seem to all
>> pass, it just shows up with host - and not consistently. I just had
>> it happen one time in 4, on a recent test.
>>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQIcBAEBCAAGBQJYfTb0AAoJEBXN2mrhkTWiffYP/Ariw/tDKjfy8pd6/Z2Nixc/
> MW5zcQAh421uxrSIA4NNhJeymiXdiwQNC8CAbvtSPNvwE87Ed8GlnfExnYSzWpig
> UvjJS1fXRF+y57e8UcqQmZEXTNtE/wdc5Rs0nqv+TpLaBMXF4nVjABmSsNOzymrw
> VQdMOHIrqGx4xmeiRU2JhUXPX57uxLTH1PmJ0PxHj5RPWm9xG8kzq3h7gtzA6hMs
> j/SXApIM6trC34D+

[Dnsmasq-discuss] Got bad packet: bad compression pointer

[Dave Taht]

I am testing the dnsmasq-full build on current lede-project head, and
enabled dnssec. Then :

root@dancer:/# host flent-fremont.bufferbloat.net
flent-fremont.bufferbloat.net has address 23.239.20.41
flent-fremont.bufferbloat.net has IPv6 address 2600:3c01::f03c:91ff:fe50:48d4
;; Got bad packet: bad compression pointer
111 bytes
40 41 81 80 00 01 00 00 00 01 00 00 0d 66 6c 65  @A...fle
6e 74 2d 66 72 65 6d 6f 6e 74 0b 62 75 66 66 65  nt-fremont.buffe
72 62 6c 6f 61 74 03 6e 65 74 00 00 0f 00 01 c0  rbloat.net..
1a 00 06 00 01 00 00 0e 10 00 34 06 61 72 6e 6f  ..4.arno
6c 64 02 6e 73 0a 63 6c 6f 75 64 66 6c 61 72 65  ld.ns.cloudflare
03 63 6f 6d 00 03 64 6e 73 c0 f0 78 9d d7 47 00  .com..dns..x..G.
00 27 10 00 00 09 60 00 09 3a 80 00 00 0e 10 .'`..:.


Filed the bug here:
https://bugs.lede-project.org/index.php?do=details_id=392

I see a few other references to this phrase elsewhere on the net but
did not find a resolution.

In this case I've seen this with osx sierra, and "dancer" is a pretty
recent ubuntu box. The dnssec tests on the web seem to all pass, it
just shows up with host - and not consistently. I just had it happen
one time in 4, on a recent test.

-- 
Dave Täht
Let's go make home routers and wifi faster! With better software!
http://blog.cerowrt.org

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] Fwd: strategies to mitigate DNS amplification attacks in ISP network

[Dave Taht]

DNS cookies look kind of interesting...


-- Forwarded message --
From: Mark Andrews 
Date: Wed, Dec 2, 2015 at 1:39 AM
Subject: Re: strategies to mitigate DNS amplification attacks in ISP network
To: Michael Hare 
Cc: "na...@nanog.org" 



Deploy DNS COOKIES.  This allows legitimate UDP traffic to be
identified and treated differently to spoofed traffic by providing
the equivalent to a TCP handshake but over UDP.

This is currently in IETF last call but the code points are assigned
and implementations are available.  Ask your nameserver vendor for
this today.  Ask your OS vendor for support.

https://tools.ietf.org/html/draft-ietf-dnsop-cookies-07

Mark

In message , Michael Hare writes:
> Martin-
>
> I represent a statewide educational network running Juniper gear that is a qu
> asi-enterprise.  I think efforts depend on size and type of network.  We are
> testing an approach that involves;
>
> 1) whitelisting known local resolvers, well behaved cloud DNS resolvers.
> 2) on ingress, policing non-conforming traffic that matches UDP src port 53 d
> st port unreserved bytes > 1400
> 3) on ingress, queuing fragments to high packet loss priority [you better und
> erstand how fragments are used in your network before doing this]
> 4) If you have Juniper gear look into prefix-action
> 5) RTBH if required
>
> This obviously doesn't work on the core of the internet.
>
> Other good tips:
> * strengthen [anycast] your local DNS resolvers and consider a scheme that al
> lows you to change their outgoing address on the fly.
> * push [some] of your external authoritative DNS to the cloud.
>
> -Michael
>
> > > -Original Message-
> > > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Martin T
> > > Sent: Tuesday, December 01, 2015 11:00 AM
> > > To: na...@nanog.org
> > > Subject: strategies to mitigate DNS amplification attacks in ISP network
> > >
> > > Hi,
> > >
> > > as around 40% of ASNs allow at least partial IPv4 address spoofing in
> > > their network(http://spoofer.csail.mit.edu/summary.php) and there are
> > > around 30 million open-resolvers(http://openresolverproject.org/) in
> > > the Internet, then DNS amplification traffic is daily occasion for
> > > ISPs. This in probably mainly because RPF checks and DNS
> > > RRL(https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Respons
> e-
> > > Rate-Limiting.html)
> > > are not ubiquitously implemented, recursive requests without any ACLs
> > > in DNS servers are often allowed, it requires little effort from
> > > attackers point of view and is effective attack method. Unfortunately,
> > > there seems to be very limited number of countermeasures for ISPs. Few
> > > which I can think of:
> > >
> > > 1) higher capacity backbone links - I'm not sure if this can be
> > > considered a mitigation method, but at least it can help to affect
> > > smaller amount of customers if traffic volumes are not very high
> > >
> > >
> > > 2) rate-limit incoming DNS traffic flows on peering and uplink ports -
> > > here I mean something similar to iptables "recent"
> > > module(http://www.netfilter.org/documentation/HOWTO/netfilter-
> > extensions-
> > > HOWTO-3.html#ss3.16)
> > > which allows certain number of certain type of packets in a configured
> > > time-slot per IP. However, such functionality is probably not common
> > > on edge or backbone routers.
> > >
> > >
> > > Tracking the packet state does definitely not work because state table
> > > should be synchronized between all the routers in the network and
> > > again, this requires Internet-routers to have stateful firewall
> > > functionality. In addition, one also needs to allow new DNS
> > > connections from Internet to its network.
> > > If one simply polices incoming DNS traffic on uplink and peering
> > > ports(for example if baseline DNS traffic is 5Mbps, then policer is
> > > set to 50Mbps), then legitimate customers DNS traffic is also affected
> > > in case of actual attack occurs and policer starts to drop DNS
> > > traffic, i.e. policer has no way to distinguish between the legitimate
> > > and non-legitimate incoming DNS traffic.
> > >
> > >
> > > Am I wrong in some points? What are the common practices to mitigate
> > > DNS amplification attacks in ISP network?
> > >
> > >
> > > thanks,
> > > Martin
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] Last call for signatures to the FCC on the wifi lockdown issue

[Dave Taht]

The CeroWrt project's letter to the FCC on how to better manage the
software on wifi and home routers vs some proposed regulations is now
in last call for signatures. The final draft of our FCC submittal is
here:

https://docs.google.com/document/d/15QhugvMlIOjH7iCxFdqJFhhwT6_nmYT2j8xAscCImX0/edit?usp=sharing

The principal signers (Dave Taht and Vint Cerf), are joined by many
network researchers, open source developers, and dozens of developers
of aftermarket firmware projects like OpenWrt.

Prominent signers currently include:

Jonathan Corbet, David P. Reed, Dan Geer, Jim Gettys, Phil Karn, Felix
nFietkau, Corinna "Elektra" Aichele, Randell Jesup, Eric S. Raymond,
Simon Kelly, Andreas Petlund, Sascha Meinrath, Joe Touch, Dave Farber,
Nick Feamster, Paul Vixie, Bob Frankston, Eric Schultz, Brahm Cohen,
Jeff Osborn, Harald Alvestrand, and James Woodyatt.

If you would like to join our call for substituting sane software
engineering practices over misguided regulations, the window for
adding your signature to the letter closes at 11:59AM ET, today,
Friday, 2015-10-08.

Sign via webform here: http://goo.gl/forms/WCF7kPcFl9

We are at approximately 170 signatures as I write.

For more details on the controversy we are attempting to address, or
to submit your own filing to the FCC see:

https://libreplanet.org/wiki/Save_WiFi
https://www.dearfcc.org/

Sincerely,

Dave Täht
CeroWrt Project Architect
Tel: +46547001161

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] Fwd: Important Info for signers of the FCC Letter from Dave Täht and CeroWrt

[Dave Taht]

If anyone here is as tired as I am of vendors shipping obsolete
versions of dnsmasq in "new" routers, please consider signing the
upcoming letter to the FCC. Details and links below.

-- Forwarded message --
From: Rich Brown <richb.hano...@gmail.com>
Date: Wed, Oct 7, 2015 at 7:16 PM
Subject: Important Info for signers of the FCC Letter from Dave Täht and CeroWrt
To: Dave Taht <dave.t...@gmail.com>


Thank you for endorsing our comments to the FCC about locking down
Wi-Fi routers and other devices. Your signature is one of over 140
names at this time.

I am working with Dave Täht to complete the submission. We have
prepared a near-final draft of the letter which we will submit on
Friday, 9 October. We welcome you to review the current version at:
https://docs.google.com/document/d/1E1D1vWP9uA97Yj5UuBPZXuQEPHARp-AhRqUOeQB2WPk/edit#

Important points:

1) If you still agree with the letter, you do not do need to do
anything. We received all the information we need from the form at
http://goo.gl/forms/WCF7kPcFl9

IF you have not signed yet, please do so soon.

2) THE FCC REQUIRES WE INCLUDE YOUR NAME AND POSTAL ADDRESS. That
information *will* be published on the open web. If you do not wish to
be included, please let me know.

3) IF YOU DO NOT AGREE (or no longer agree) with the letter, please
respond to this note and let me know. In either case, I will ensure
that your name is not included in our response.

4) The window for updating/adding/removing your name will close
tomorrow, Thursday 8 October at 11:59pm ET.

5) If you included a "Personal Comment" on the web form, or have
further thoughts, please consider filing a separate note with the FCC
containing that comment. It will have greater impact. It's easy to do
this at http://apps.fcc.gov/ecfs/hotdocket/list - find the "15-170"
item (first in the list, with more than 340 other filers) If you
didn't keep a copy of your comment, send me a note and I will look it
up.

Thanks again!


Rich Brown


-- 
Dave Täht
Do you want faster, better, wifi? https://www.patreon.com/dtaht

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7

[Dave Taht]

on a comcast native ipv6 connection, 1232 from OSX (ping6 -s 1232
2001:4860:4860::)

On the router *itself* I can't even

 ping6 -s 80 2001:4860:4860::

PING 2001:4860:4860:: (2001:4860:4860::): 80 data bytes

^C

--- 2001:4860:4860:: ping statistics ---

1 packets transmitted, 0 packets received, 100% packet loss

So i kind of suspected the -s calculation includes headers on one OS
or the other, or, I thought briefly, have a firewall rule in the way,
but weirdly
I can ping6 -s 4000 to snapon.lab.bufferbloat.net from the router
also. This makes no sense whatsoever.

sigh. We have a tool (isoburst) we keep meaning to polish up that
tests udp extensively, I guess we're going to have to add
fragmentation checks to it.



On Thu, May 7, 2015 at 6:32 AM, Toke Høiland-Jørgensen t...@toke.dk wrote:
 Simon Kelley si...@thekelleys.org.uk writes:

 Using ping6 2001:4860:4860:: -s packet size

 (that's the Google public DNS server)

 I see answers up to packet size 1344.

 I get answers up to -s 1432. This is on an he.net tunnel.

 -Toke

 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
Dave Täht
Open Networking needs **Open Source Hardware**

https://plus.google.com/u/0/+EricRaymond/posts/JqxCe2pFr67

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7

[Dave Taht]

Suspecting edns0 (I am also using ipv6 only as my upstream forwarder),
i dropped edns_packet_max


dair-833:babeld d$ dig +dnssec www.ietf.org

;; Truncated, retrying in TCP mode.


;  DiG 9.8.3-P1  +dnssec www.ietf.org

;; global options: +cmd

;; Got answer:

;; -HEADER- opcode: QUERY, status: NOERROR, id: 4614

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1


;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 1200

;; QUESTION SECTION:

;www.ietf.org. IN A


;; ANSWER SECTION:

www.ietf.org. 1292 IN CNAME www.ietf.org.cdn.cloudflare-dnssec.net.

www.ietf.org. 1292 IN RRSIG CNAME 5 3 1800 20160426153432
20150427143650 40452 ietf.org.
P/M2NpsObZhTLqxxkQqDnKCkIqhgcBQcSRidfikEAFDrNUKJDeah8z4S
8/QRGqsn4OtmZHHhm0LwfxtUrqQkB/sbQzoUVgAdPQHQRxmUpZ58BQ4O
P8jcThPIWnlauBBNusbTuq/iEo2L73P+eBBesGq+rCiUDmKHAfbo2aF4
fKh9q8NjmJbfAoD6ihjq5aNigzPErwv7mZ6jLg/eS1xh12pox5EYAUnO
lPXIj5puSgizSkr7oOZv41kIiqxyvxGdu37ti7zc73p5NGI5qng+eSOE
JcvK0VQc1Rn18nlwnq3yM+o6VldGDfMX6WY+zywKwyI3tFnpqAtKC+CJ /JxtIw==

www.ietf.org.cdn.cloudflare-dnssec.net. 64 IN A 104.20.0.85

www.ietf.org.cdn.cloudflare-dnssec.net. 64 IN A 104.20.1.85

www.ietf.org.cdn.cloudflare-dnssec.net. 64 IN RRSIG A 13 6 300
20150507200525 20150505180525 35273 cloudflare-dnssec.net.
jcky3oJ2x1ZUfEQJCSLEqjCWA9ifxAArUb2ZVsnHbhBngBq0IvER4KCU
mrdAy7+5vHduGsaMg/y4mHLfJohcRA==


;; Query time: 222 msec

;; SERVER: 172.26.16.1#53(172.26.16.1)

;; WHEN: Wed May  6 12:08:13 2015

;; MSG SIZE  rcvd: 538


On Wed, May 6, 2015 at 11:22 AM, Dave Taht dave.t...@gmail.com wrote:
  nslookup www.ietf.org fails again... it did not fail a few days ago.

 chrome returns nxdomain


 --
 Dave Täht
 Open Networking needs **Open Source Hardware**

 https://plus.google.com/u/0/+EricRaymond/posts/JqxCe2pFr67



-- 
Dave Täht
Open Networking needs **Open Source Hardware**

https://plus.google.com/u/0/+EricRaymond/posts/JqxCe2pFr67

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7

[Dave Taht]

 nslookup www.ietf.org fails again... it did not fail a few days ago.

chrome returns nxdomain


-- 
Dave Täht
Open Networking needs **Open Source Hardware**

https://plus.google.com/u/0/+EricRaymond/posts/JqxCe2pFr67

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7

[Dave Taht]

I retried it with edns0 set to 1500 bytes, and it worked (falling back
to tcp). 1800 bytes did not.

an osx box was the client.

I did capture the transaction(s) this time, the failing queries and a
working one are at: http://snapon.lab.bufferbloat.net/~d/dnsmasq/

One of my concerns has always been what fq_codel's algorithm does to
fragmented packets in general... but I have not looked at this
captures...

The testing I was doing earlier (where ietf.org worked) was with a
linux box as the client a few days ago. I will resume testing that
later today, and also continue slamming dnsmasq with queries over ipv6
from the alexa top 1m



On Wed, May 6, 2015 at 12:30 PM, Kevin Darbyshire-Bryant
ke...@darbyshire-bryant.me.uk wrote:
 Continues to work here on my iPhone hiding behind openwrt cc trunk 
 dnsmasq2.73rc7

 Were I not on the iPhone I could do some dig'age :-)

 --
 Cheers,

 ke...@darbyshire-bryant.me.uk
 Sent from my phone, apologies for brevity, spelling  top posting

 On 6 May 2015, at 20:21, Dave Taht dave.t...@gmail.com wrote:

 nslookup www.ietf.org fails again... it did not fail a few days ago.

 chrome returns nxdomain


 --
 Dave Täht
 Open Networking needs **Open Source Hardware**

 https://plus.google.com/u/0/+EricRaymond/posts/JqxCe2pFr67

 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
Dave Täht
Open Networking needs **Open Source Hardware**

https://plus.google.com/u/0/+EricRaymond/posts/JqxCe2pFr67

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7

[Dave Taht]

prematurely sent that email. setting edns_packet_max to 1200 made it
drop to tcp and work.

I am going to argue that edns0 should be set to the bare minimum, by
default, in dnsmasq, whatever it is, for it to
fall back to tcp correctly.

On Wed, May 6, 2015 at 12:09 PM, Dave Taht dave.t...@gmail.com wrote:
 Suspecting edns0 (I am also using ipv6 only as my upstream forwarder),
 i dropped edns_packet_max


 dair-833:babeld d$ dig +dnssec www.ietf.org

 ;; Truncated, retrying in TCP mode.


 ;  DiG 9.8.3-P1  +dnssec www.ietf.org

 ;; global options: +cmd

 ;; Got answer:

 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4614

 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1


 ;; OPT PSEUDOSECTION:

 ; EDNS: version: 0, flags: do; udp: 1200

 ;; QUESTION SECTION:

 ;www.ietf.org. IN A


 ;; ANSWER SECTION:

 www.ietf.org. 1292 IN CNAME www.ietf.org.cdn.cloudflare-dnssec.net.

 www.ietf.org. 1292 IN RRSIG CNAME 5 3 1800 20160426153432
 20150427143650 40452 ietf.org.
 P/M2NpsObZhTLqxxkQqDnKCkIqhgcBQcSRidfikEAFDrNUKJDeah8z4S
 8/QRGqsn4OtmZHHhm0LwfxtUrqQkB/sbQzoUVgAdPQHQRxmUpZ58BQ4O
 P8jcThPIWnlauBBNusbTuq/iEo2L73P+eBBesGq+rCiUDmKHAfbo2aF4
 fKh9q8NjmJbfAoD6ihjq5aNigzPErwv7mZ6jLg/eS1xh12pox5EYAUnO
 lPXIj5puSgizSkr7oOZv41kIiqxyvxGdu37ti7zc73p5NGI5qng+eSOE
 JcvK0VQc1Rn18nlwnq3yM+o6VldGDfMX6WY+zywKwyI3tFnpqAtKC+CJ /JxtIw==

 www.ietf.org.cdn.cloudflare-dnssec.net. 64 IN A 104.20.0.85

 www.ietf.org.cdn.cloudflare-dnssec.net. 64 IN A 104.20.1.85

 www.ietf.org.cdn.cloudflare-dnssec.net. 64 IN RRSIG A 13 6 300
 20150507200525 20150505180525 35273 cloudflare-dnssec.net.
 jcky3oJ2x1ZUfEQJCSLEqjCWA9ifxAArUb2ZVsnHbhBngBq0IvER4KCU
 mrdAy7+5vHduGsaMg/y4mHLfJohcRA==


 ;; Query time: 222 msec

 ;; SERVER: 172.26.16.1#53(172.26.16.1)

 ;; WHEN: Wed May  6 12:08:13 2015

 ;; MSG SIZE  rcvd: 538


 On Wed, May 6, 2015 at 11:22 AM, Dave Taht dave.t...@gmail.com wrote:
  nslookup www.ietf.org fails again... it did not fail a few days ago.

 chrome returns nxdomain


 --
 Dave Täht
 Open Networking needs **Open Source Hardware**

 https://plus.google.com/u/0/+EricRaymond/posts/JqxCe2pFr67



 --
 Dave Täht
 Open Networking needs **Open Source Hardware**

 https://plus.google.com/u/0/+EricRaymond/posts/JqxCe2pFr67



-- 
Dave Täht
Open Networking needs **Open Source Hardware**

https://plus.google.com/u/0/+EricRaymond/posts/JqxCe2pFr67

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] seeing www.ietf.org fail dnssec with dnsmasq rc7

[Dave Taht]

Yes, I was using comcast native ipv6.

On Wed, May 6, 2015 at 1:49 PM, Simon Kelley si...@thekelleys.org.uk wrote:
 This stuff does worry me. It's a big source of brittleness.

 One thing that's worth pointing out is that it's not necessarily the
 answer to the original query that's too big, it might be the answer to
 one of the DS or DNSKEY queries needed to validate it. If the answer to
 one of those comes back with the TrunCated bit set, then dnsmasq
 abandons the whole thing and returns a TC answer to the original
 question so that the requestor tries again in TCP mode. Now the DS or
 DNSKEY query gets done in TCP mode too, and the answer isn't truncated.
 Dnsmasq  doesn't mix TCP and UDP queries in one validation, and always
 does the upstream queries in the same mode as the query it's answering.

 That explains why it's falling back to TCP even though the final
 (signed) answer is 538 bytes.

 Doing a quick binary chop. I see fallback to TCP if edns-packet-max is
 less then 1625, which is bigger than a ethernet packet.  Looking at the
 packet capture, I see that it's actually the answer to

 DNSKEY org

 which is 1625 bytes and fragmented (and reassembled) across my wireless
 LAN. Actually, it's probably fragmented somewhere on the other end of
 the 3G connection or before. It gets reassembled at this end.

 There are four DNSKEYS and the corresponding RRSIGS in that answer. I
 wonder if that's intended?

 All the above is on IPv4. Dave are you using IPv6? I'll try that next.

 Cheers,

 Simon.




 On 06/05/15 20:42, Dave Taht wrote:
 I retried it with edns0 set to 1500 bytes, and it worked (falling back
 to tcp). 1800 bytes did not.

 an osx box was the client.

 I did capture the transaction(s) this time, the failing queries and a
 working one are at: http://snapon.lab.bufferbloat.net/~d/dnsmasq/

 One of my concerns has always been what fq_codel's algorithm does to
 fragmented packets in general... but I have not looked at this
 captures...

 The testing I was doing earlier (where ietf.org worked) was with a
 linux box as the client a few days ago. I will resume testing that
 later today, and also continue slamming dnsmasq with queries over ipv6
 from the alexa top 1m



 On Wed, May 6, 2015 at 12:30 PM, Kevin Darbyshire-Bryant
 ke...@darbyshire-bryant.me.uk wrote:
 Continues to work here on my iPhone hiding behind openwrt cc trunk 
 dnsmasq2.73rc7

 Were I not on the iPhone I could do some dig'age :-)

 --
 Cheers,

 ke...@darbyshire-bryant.me.uk
 Sent from my phone, apologies for brevity, spelling  top posting

 On 6 May 2015, at 20:21, Dave Taht dave.t...@gmail.com wrote:

 nslookup www.ietf.org fails again... it did not fail a few days ago.

 chrome returns nxdomain


 --
 Dave Täht
 Open Networking needs **Open Source Hardware**

 https://plus.google.com/u/0/+EricRaymond/posts/JqxCe2pFr67

 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss





 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
Dave Täht
Open Networking needs **Open Source Hardware**

https://plus.google.com/u/0/+EricRaymond/posts/JqxCe2pFr67

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] High Availability: Part Deux

[Dave Taht]

Well the most elegant and simple solution we came up with was:

https://tools.ietf.org/html/draft-taht-kelley-hunt-dhcpv4-to-slaac-naming-00

But the world did not go that way, preferring nothing that worked at all.


On Fri, Apr 3, 2015 at 12:20 PM, Jonathan Fisher
jonat...@springventuregroup.com wrote:
 Absolutely :) That setup works quite nicely right now actually! The problem
 then is DNS... with ipv6 coming down the pipe, it's time to stop addressing
 everyone with IPs and start using memorizable DNS names. Any ideas on that?

 Email Confidentiality Notice: The information contained in this transmission
 is confidential, proprietary or privileged and may be subject to protection
 under the law, including the Health Insurance Portability and Accountability
 Act (HIPAA). The message is intended for the sole use of the individual or
 entity to whom it is addressed. If you are not the intended recipient, you
 are notified that any use, distribution or copying of the message is
 strictly prohibited and may subject you to criminal or civil penalties. If
 you received this transmission in error, please contact the sender
 immediately by replying to this email and delete the material from any
 computer.

 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss




-- 
Dave Täht
Let's make wifi fast, less jittery and reliable again!

https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] losing RRSIGS in dnsmasq 2.73rc3

[Dave Taht]

On Thu, Apr 2, 2015 at 1:50 PM, Simon Kelley si...@thekelleys.org.uk wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 02/04/15 21:43, Dave Taht wrote:
 On Thu, Apr 2, 2015 at 1:08 PM, Simon Kelley
 si...@thekelleys.org.uk wrote: I get a BOGUS validation because
 there's no DS record for bufferbloat.ne t

 bufferbloat.net uses dlv.isc.org, which dnsmasq doesn't support. I
 think we went round this loop last year sometime.

 I have to admit that we have not looked at how we did dnssec 4+
 years back. It does (now) just appear that we are misconfigured.
 Attempts to reach www.ietf.org always return the RRSIGS.


 What are you doing which allows this to validate? Maybe a
 configured trust-anchor for bufferbloat.net? I guess the first
 answer is being returned from upstream, and the second is coming
 from the dnsmasq cache. It should have RRSIGs never-the-less, but I
 can't work out what's happening until I understand how you're
 getting validation at all .

 I have no idea. I used comcast´s upstream resolvers.

 Are you giving dnsmasq the --dnssec-debug flag? If so you'll still get
 a reply (wo an ad flag) when the validation fails. That (combined
 with the second reply coming from cache) would fit the data provided.
 If you remove the dnssec-debug flag, you should get consistent
 SERVFAIL replies.

No dnssec-debug.

# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
dnssec-timestamp=/etc/dnssec_timestamp
domain=lan
server=/lan/
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
stop-dns-rebind
rebind-localhost-ok
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
dnssec-check-unsigned
dhcp-broadcast=tag:needs-broadcast
dhcp-range=lan,192.168.1.100,192.168.1.249,255.255.255.0,12h
no-dhcp-interface=eth0



 (Next up for me is hammering dnssec via as many ways as I can
 come up with over ipv6, btw)



 I await developments..

Well, I wish I had a better test than namebench.


 S.
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2.0.22 (GNU/Linux)

 iEYEARECAAYFAlUdq7IACgkQKPyGmiibgrdr7gCglfq0dC/oWCYtQJS5KRd1lErZ
 NCAAoIkI5y98kMcDLJtfbx2hEGtfcaDm
 =ceEu
 -END PGP SIGNATURE-



-- 
Dave Täht
Let's make wifi fast, less jittery and reliable again!

https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] losing RRSIGS in dnsmasq 2.73rc3

[Dave Taht]

On Thu, Apr 2, 2015 at 1:08 PM, Simon Kelley si...@thekelleys.org.uk wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 I get a BOGUS validation because there's no DS record for bufferbloat.ne
 t

 bufferbloat.net uses dlv.isc.org, which dnsmasq doesn't support. I
 think we went round this loop last year sometime.

I have to admit that we have not looked at how we did dnssec 4+ years
back. It does (now) just appear that we are misconfigured. Attempts
to reach www.ietf.org always return the RRSIGS.


 What are you doing which allows this to validate? Maybe a configured
 trust-anchor for bufferbloat.net? I guess the first answer is being
 returned from upstream, and the second is coming from the dnsmasq
 cache. It should have RRSIGs never-the-less, but I can't work out
 what's happening until I understand how you're getting validation at all
 .

I have no idea. I used comcast´s upstream resolvers.

(Next up for me is hammering dnssec via as many ways as I can come up with
over ipv6, btw)



 Cheers,


 Simon.






 On 02/04/15 20:10, Dave Taht wrote:
 So I am testing with the latest 2.73 release candidate3.

 I do TWO dnssec queries on the same domain.

 The first, does the right thing. The second, does not give me the
 RRSIGs.


 d@nuc-client:~/public_html/archer_c7_O2$ dig www.bufferbloat.net
 +dnssec +multi

 ;  DiG 9.9.5-3ubuntu0.1-Ubuntu  www.bufferbloat.net
 +dnssec +multi ;; global options: +cmd ;; Got answer: ;;
 -HEADER- opcode: QUERY, status: NOERROR, id: 38038 ;; flags: qr
 rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4000 ;;
 QUESTION SECTION: ;www.bufferbloat.net.IN A

 ;; ANSWER SECTION: www.bufferbloat.net.86400 IN CNAME
 shipka.bufferbloat.net. www.bufferbloat.net.86400 IN RRSIG
 CNAME 7 3 86400 ( 20150430231644 20150331223348 6560
 bufferbloat.net. qVWE6+j4ESNbRoulnJO9FoDdSCWCpghIE2Pe9f0wGaF5
 lSdVv5S1A2S6P5YrZaWajp8BWPO/cliXjwStNQdoQ5Et
 YtHgrDZAMj1hW2CVR8TPWaa+I2R5jnmqbdTslBBCxkpG
 2vFLB6SioH8oh4JYtujD3K0XxOY543MclW7FF60= ) shipka.bufferbloat.net.
 86400 IN A 149.20.54.81 shipka.bufferbloat.net.86400 IN RRSIG
 A 7 3 86400 ( 20150430184126 20150331182930 6560 bufferbloat.net.
 QPy1G/6ho5zIbPA8KUKFKjFYVCOvib454oRvaQ1cvfZZ
 vLyvd8zUmLw8nxAa3hcsU1MZlLAo1ELPEOac8/ND0FkZ
 Wp8wm/OTajoFM9/cOZqFNXkPBdsboqlSo0+EBJiROuzI
 u2S8PtoC0y7gJdjeRIXHhoYsv+TeZm9TtrCGBK4= )

 ;; Query time: 34 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;;
 WHEN: Thu Apr 02 12:04:27 PDT 2015 ;; MSG SIZE  rcvd: 435

 d@nuc-client:~/public_html/archer_c7_O2$ dig www.bufferbloat.net
 +dnssec +multi

 ;  DiG 9.9.5-3ubuntu0.1-Ubuntu  www.bufferbloat.net
 +dnssec +multi ;; global options: +cmd ;; Got answer: ;;
 -HEADER- opcode: QUERY, status: NOERROR, id: 61475 ;; flags: qr
 rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
 QUESTION SECTION: ;www.bufferbloat.net.IN A

 ;; ANSWER SECTION: www.bufferbloat.net.86397 IN CNAME
 shipka.bufferbloat.net. shipka.bufferbloat.net.86397 IN A
 149.20.54.81

 ;; Query time: 0 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;;
 WHEN: Thu Apr 02 12:04:30 PDT 2015 ;; MSG SIZE  rcvd: 100



 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2.0.22 (GNU/Linux)

 iEYEARECAAYFAlUdocsACgkQKPyGmiibgrfJ2wCdEFNDy+Pefl6OJ2TIFintaIs2
 7c8An1JA7D0CpD+FxhOKU7o/bajnEmkL
 =YJ6J
 -END PGP SIGNATURE-

 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
Dave Täht
Let's make wifi fast, less jittery and reliable again!

https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] a little feedback on the new dnssec startup method in openwrt

[Dave Taht]

A) Not clear what happens if it tries to write it while the jffs
filesystem is still being cleaned

B)  the dnssec_timestamp file needs to go somewhere that can be
written by nobody.

B1) trying to create it to /etc/ fails and fails to startup dnsmasq (see A)

Thu Apr  2 18:31:52 2015 daemon.info dnsmasq[3705]: started, version
2.73rc3 cachesize 150
Thu Apr  2 18:31:52 2015 daemon.info dnsmasq[3705]: compile time
options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua
TFTP no-conntrack ipset auth DNSSEC loop-detect inotify
Thu Apr  2 18:31:52 2015 daemon.info dnsmasq[3705]: DNS service
limited to local subnets
Thu Apr  2 18:31:52 2015 daemon.crit dnsmasq[3705]: cannot create
timestamp file /etc/dnssec_timestamp: Permission denied
Thu Apr  2 18:31:52 2015 daemon.crit dnsmasq[3705]: FAILED to start up
Thu Apr  2 18:31:57 2015 daemon.info dnsmasq[3706]: started, version 2.73

B2) creating it as root, but not chowning it to nobody, fails.

In this second case, failure to update mtime is ok and dnsmasq startup

Thu Apr  2 18:32:07 2015 daemon.err dnsmasq[3751]: failed to update
mtime on /etc/dnssec_timestamp: Permission denied
Thu Apr  2 18:32:07 2015 daemon.info dnsmasq[3751]: DNSSEC validation enabled

C) making it writable by nobody of course makes it vulnerable to other
users running as nobody

root@OpenWrt:/etc/config# ls -l /etc/dnssec_timestamp
-rw-r--r--1 nobody   root 0 Apr  2 18:32 /etc/dnssec_timestamp



-- 
Dave Täht
Let's make wifi fast, less jittery and reliable again!

https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Cerowrt-devel] DNSSEC and www.ietf.org

[Dave Taht]

I have trouble accessing ietf.org, also, with older versions of
dnsmasq + dnssec, presently.

On Mon, Mar 30, 2015 at 8:52 AM, Marc Petit-Huguenin
m...@petit-huguenin.org wrote:
 Am I the only one who cannot access www.ietf.org since Cloudflare enabled 
 DNSSEC? (with dnsmasq-full 2.73-3)

 Thanks.

 --
 Marc Petit-Huguenin
 Email: m...@petit-huguenin.org
 Blog: http://blog.marc.petit-huguenin.org
 Profile: http://www.linkedin.com/in/petithug


 ___
 Cerowrt-devel mailing list
 cerowrt-de...@lists.bufferbloat.net
 https://lists.bufferbloat.net/listinfo/cerowrt-devel




-- 
Dave Täht
Let's make wifi fast, less jittery and reliable again!

https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Cerowrt-devel] DNSSEC and www.ietf.org

[Dave Taht]

for cerowrt-3.10? Really wasn't planning on it. Didn't even know there
was a problem til today...

for my current openwrt builds - you betcha. thursday-ish.

On Mon, Mar 30, 2015 at 11:17 AM, Marc Petit-Huguenin
m...@petit-huguenin.org wrote:
 On 03/30/2015 11:49 AM, Simon Kelley wrote:
 Dnsmasq bug, should be fixed in 2.73rc3 pls shout if not.

 (the problem is that the clouldflare.bet zone includes the domains
 /003.cloudflare.net (that's ctrl-c at the start) and that was
 confusing dnsmasq.)

 Thanks.

 Dave, any chance to get a build of 2.73rc3?


 Simon.



 On 30/03/15 16:58, Dave Taht wrote:
 I have trouble accessing ietf.org, also, with older versions of
 dnsmasq + dnssec, presently.

 On Mon, Mar 30, 2015 at 8:52 AM, Marc Petit-Huguenin
 m...@petit-huguenin.org wrote:
 Am I the only one who cannot access www.ietf.org since Cloudflare
 enabled DNSSEC? (with dnsmasq-full 2.73-3)

 Thanks.

 -- Marc Petit-Huguenin Email: m...@petit-huguenin.org Blog:
 http://blog.marc.petit-huguenin.org Profile:
 http://www.linkedin.com/in/petithug


 ___ Cerowrt-devel
 mailing list cerowrt-de...@lists.bufferbloat.net
 https://lists.bufferbloat.net/listinfo/cerowrt-devel







 --
 Marc Petit-Huguenin
 Email: m...@petit-huguenin.org
 Blog: http://blog.marc.petit-huguenin.org
 Profile: http://www.linkedin.com/in/petithug




-- 
Dave Täht
Let's make wifi fast, less jittery and reliable again!

https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] High Availability: Part Deux

[Dave Taht]

I too would like a more high availability form of DNS and dhcp in general.

One thing that I do currently is use anycast in my (fairly complex,
highly routed) campus network, so that the local dns servers are
distributed via the babel routing protocol, and the closest one that
is up responds. (anycast is widely used on the internet backbone as
well)

this introduces problems in monitoring what, exactly, is up, and is
not as effective as what I would like. Replicating the dhcp leases and
dns entries remains a problem (what usually happens is users trying a
non working AP, end up trying another).

I still regard this distributed solution as it stands, as being
superior to the alternative of hauling back all dns and dhcp to a set
of central servers, which then would require perfect connectivity at
all times, centralized management of everything, and result in worse
caching.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Babel-users] Looping in EAGAIN

[Dave Taht]

I see this patch for EAGAIN on an interface going away did not make the
babel-ss-merge branch apparently.  (for those new to this bug, see:
http://lists.alioth.debian.org/pipermail/babel-users/2014-October/001777.html
for more details. )

No, I haven't had time to test this patch, nor have I come up with a better
idea.

I am curious if there could be some other *more robust* means of detecting
when an interface has gone away, and/or how dnsmasq was coping with this
situation nowadays.

(I'd mentioned this problem on the endless homenet thread

http://www.ietf.org/mail-archive/web/homenet/current/msg05156.html

and, thought I'd check to see if it was mainlined!)

I certainly hate any possibility anywhere in routing code where a
possibility for infinite loop existed. are there any checkers for such
loops in the world?

On Wed, Oct 15, 2014 at 2:00 PM, Juliusz Chroboczek 
j...@pps.univ-paris-diderot.fr wrote:
 Dave,

 I'm not going to have time to test this for a while.  In the meantime,
 here's a proposed patch, please let me know if you find the time to test
 it.
have
 -- Juliusz

 diff --git a/net.c b/net.c
 index 6f9728f..9b0b738 100644
 --- a/net.c
 +++ b/net.c
 @@ -141,7 +141,7 @@ babel_send(int s,
  {
  struct iovec iovec[2];
  struct msghdr msg;
 -int rc;
 +int rc, count = 0;

  iovec[0].iov_base = (void*)buf1;
  iovec[0].iov_len = buflen1;
 @@ -156,13 +156,18 @@ babel_send(int s,
   again:
  rc = sendmsg(s, msg, 0);
  if(rc  0) {
 -if(errno == EINTR)
 -goto again;
 -else if(errno == EAGAIN) {
 +if(errno == EINTR) {
 +count++;
 +if(count  1000)
 +goto again;
 +} else if(errno == EAGAIN) {
  int rc2;
  rc2 = wait_for_fd(1, s, 5);
 -if(rc2  0)
 -goto again;
 +if(rc2  0) {
 +count++;
 +if(count  1000)
 +goto again;
 +}
  errno = EAGAIN;
  }
  }



-- 
Dave Täht
Let's make wifi fast, less jittery and reliable again!

https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq 2.55 failures

[Dave Taht]

On Mon, Mar 23, 2015 at 3:31 PM, John Knight john.kni...@belkin.com wrote:

  Hi,



 We use dnsmasq 2.55 in our Linksys routers.  We have generally had few
 problems with dnsmasq, but recently one of our customers reported a failure
 that did not recover.


I have seen a failure with dns for ipv6 on dnsmasq like this (2-3 days of
uptime, then spiraling off into a unresponsive loop) as recently as 2.72.
Since ipv6 has now been rolled out universally across comcast's services
and this is (to my knowledge) the only crash bug dnsmasq has anymore, I
have been meaning to get the 2.73rc1 release candidate up and running full
time in an mixed ipv4/ipv6 environment and to pound it flat with queries
for some time now. I hope to deploy that candidate in the lab in a week or
so. More eyeballs would be helpful on finally tracking it down. What I
typically do is pound through the alexa top 1 million, repeatedly, and also
namebench, other tests are feasible.  I have some hope that the edns0
bugfix in this release candidate actually fixes it.

The five years of dnsmasq releases since 2.55 have had many bug fixes (see
release notes) and upgrades (notably dnssec), also, and it is well worth
upgrading your userbase even if this fix remains difficult to find.

folk on your side of the firmware might also benefit from seeing jim gettys
do his insecurity in home embedded devices talk, filmed here:

http://cyber.law.harvard.edu/events/luncheon/2014/06/gettys

and updated considerably since, with new data.

https://gettys.wordpress.com/2014/10/06/bufferbloat-and-other-challenges/




 On the customer’s router, the maximum number of dhcp clients is 50.  The
 customer happens to be a hotel and experienced a high usage rate and
 exceeded the 50 dhcp client limit.  As expected, the 50 active clients
 received their IP address and those over 50 did not.  However, the customer
 noticed that dns stopped working when this happened.  The CPU usage went to
 50% (49.4% was logged to dnsmasq by top).  This may be 100% of single CPU
 as this is a dual CPU router.  The environment is a mixed environment of
 both IPv4 and IPv6… I believe we only use dnsmasq for IPv6 for the dns
 capability; ipv4 uses dhcp and dns capability from dnsmasq.  The customer
 goes on to say that dhcp renewals were not being handled as well.  Customer
 has also added that sometimes they see issue with only 30 active dhcp users
 or so.  Apparently it requires a good number of users before it happens…
 and it does not occur immediately…. Sometimes a few days or more before it
 happens.



 I looked through some of your release notes and noticed some similarities
 on some bug reports, but did not see an exact match.  Does any of this make
 sense to you?  We tried reproducing this in our lab and were unsuccessful
 simulating the scenario.  We realize that our dnsmasq version is pretty old
 and a lot of fixes may have been applied since version 2.55.  If there is a
 good chance that the issues seen have been fixed in a later release, we
 will consider upgrading to a newer version.  If you could comment on the
 likelihood of a fix already being made, I would appreciate it.  Since we
 cannot reproduce the problem, we will likely have to apply a newer version
 (hopefully very stable) and have customer try it… something we would prefer
 to avoid unless we have some confidence that the problem may already be
 fixed in the newer release.



 Thank you for your time.  I look forward to hearing from you.



 Best Regards and thanks,



 John Knight



 *JOHN KNIGHT *
 Senior Software Engineer

 *Belkin International *

 O +1 949 238 4543
 M +1 949 351 1020
 [image: Belkin-WeMo-Linksys]




  __
 Confidential This e-mail and any files transmitted with it are the property
 of Belkin International, Inc. and/or its affiliates, are confidential, and
 are intended solely for the use of the individual or entity to whom this
 e-mail is addressed. If you are not one of the named recipients or
 otherwise have reason to believe that you have received this e-mail in
 error, please notify the sender and delete this message immediately from
 your computer. Any other use, retention, dissemination, forwarding,
 printing or copying of this e-mail is strictly prohibited. Pour la version
 française: http://www.belkin.com/email-notice/French.html Für die
 deutsche Übersetzung: http://www.belkin.com/email-notice/German.html
 __

 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss




-- 
Dave Täht
Let's make wifi fast, less jittery and reliable again!

https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk

Re: [Dnsmasq-discuss] DNAME or domain to domain transltion?

[Dave Taht]

I have renewed hope then.

On Mon, Mar 16, 2015 at 11:09 PM, Paul Vixie wrote:

 dname is not dead. it always included a synthesized cname. so a dname in
 the zone file can create an unlimited number of cnames in cache.

 re:

   Dave Taht dave.t...@gmail.com
  Tuesday, March 17, 2015 11:41 AM
 I had had a lot of hope for DNAMEs, but they were shot down in the ietf
 years ago. Vestiges survive in bind, at least, but I suspect there is
 little application support.

 I would not mind an attempt to resurrect them. Naming in the face of being
 renumbered all the time by various ipv4 and ipv6 providers is a real PITA.




 --
 Dave Täht
 Let's make wifi fast, less jittery and reliable again!

 https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb


 --
 Paul Vixie




-- 
Dave Täht
Let's make wifi fast, less jittery and reliable again!

https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] DNAME or domain to domain transltion?

[Dave Taht]

I had had a lot of hope for DNAMEs, but they were shot down in the ietf
years ago. Vestiges survive in bind, at least, but I suspect there is
little application support.

I would not mind an attempt to resurrect them. Naming in the face of being
renumbered all the time by various ipv4 and ipv6 providers is a real PITA.

On Mon, Mar 16, 2015 at 6:33 PM, Adrian Lewis adr...@alsiconsulting.co.uk
wrote:

 Would it be fair to assume that there is no trick to this and if so, is
 there any interest in a feature request for supporting DNAME records?
 Unfortunately I'm simply a (very grateful) freeloader with no programming
 skills whatsoever. I have no idea whether implementing this would be
 something really simple or the opposite.

 Many thanks,

 Adrian

 -Original Message-
 From: Adrian Lewis [mailto:adr...@alsiconsulting.co.uk]
 Sent: 11 March 2015 19:06
 To: 'dnsmasq-discuss@lists.thekelleys.org.uk'
 Subject: DNAME or domain to domain transltion?

 Hi,

 I've tried to find this out through reading and googling and I can't find
 any obvious solution so I was hoping someone might know a trick that would
 help me. I'm trying to do some sort of domain to domain translation so
 that when a query for the a record of host1.firstdomain.tld is received,
 dnsmasq does a lookup for host1.seconddomain.tld and returns the IP as if
 the client had asked for host1.seconddomain.tld.

 For an individual host this is much the same as a CNAME record but I need
 to be able to specify the hostname dynamically so that
 %anything%.firstdomain.tld is a CNAME for %anything%.seconddomain.tld.
 Wildcards don't help either as this is not a case of
 %anything%.firstdomain.tld being a CNAME for
 specifichost.seconddomain.tld.

 From what I gather, this is what a DNAME record will do although support
 for this type of record seems a little scarce and dnsmasq doesn't support
 these directly. The purpose is not nefarious and it is all being done for
 internal to internal translation. I've not gone into why I need this in
 any great detail but it's nothing dodgy.

 The --synth-domain feature suggests that there is some sort of engine to
 create dynamic replies based on the query but I need the equivalent of:
 --synth-domain=firstdomain.tld,seconddomain.tld

 Can anyone help?

 TIA,

 Adrian

 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss




-- 
Dave Täht
Let's make wifi fast, less jittery and reliable again!

https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] DNAME or domain to domain transltion?

[Dave Taht]

On Mon, Mar 16, 2015 at 9:18 PM, Brad Smith b...@comstyle.com wrote:

 On 03/16/15 22:41, Dave Taht wrote:

 I had had a lot of hope for DNAMEs, but they were shot down in the ietf
 years ago. Vestiges survive in bind, at least, but I suspect there is
 little application support.

 I would not mind an attempt to resurrect them. Naming in the face of
 being renumbered all the time by various ipv4 and ipv6 providers is a
 real PITA.


 I don't get why you said they were shot down. The DNAME record type
 is standards track with 2 RFCs issued. Starting as RFC 2672 and updated
 3 years ago with RFC 6672. As far as I can see they're supported by
 most of the open source authoritative name servers and recursive
 resolvers (BIND, NSD / Unbound, Knot, Yadifa, MaraDNS), commercial
 implementations such as Cisco, Nominum, Microsoft as well as OS
 resolvers.



I stand corrected. Do any applications work with DNAME?


 --
 This message has been scanned for viruses and
 dangerous content by MailScanner, and is
 believed to be clean.




-- 
Dave Täht
Let's make wifi fast, less jittery and reliable again!

https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Ow-tech] DNSSEC

[Dave Taht]

On Wed, Feb 11, 2015 at 2:11 PM, Seth l...@sysfu.com wrote:
 On Tue, 10 Feb 2015 16:57:07 -0800, Ranganathan Krishnan r...@selwastor.com
 wrote:

 I am looking into ways to improve DNS on the openwireless router software.
 When I mentioned DNSSEC as one of the items to review, I received this
 response from one of the developers.

 http://sockpuppet.org/blog/2015/01/15/against-dnssec/

I lack time in my life for a point by point rebuttal.

 CeroWRT put in work to include DNSSEC so there must be folks on the
 CeroWRT
 list  who don't see it that way.

If you wish to engage the advocates it would help to ask the question
of the relevant mailing lists. There are many, but I don't know them
all, but cc'ing dan york who is big on dane.

To clarify, in cerowrt, dnssec support was one of a dozen technologies
we wanted to prove viable on home routers and e2e, that comcast viewed
it as important enough to fund simon kelly to implement, and it's been
up and working for about 3 years now. We didn't do any real
development of it in cerowrt, we merely tested the results of that
effort and helped file off the rough edges, to make it more generally
deployable. Which it is.

Benefits I see to dnssec end-2-end:

1) The big one, that I personally love, is having a working NXDOMAIN,
where my upstream ISP cannot fill a dns miss with advertising domains.
There are a lot of valuable fallouts from this.

2) It doesn't cost much in terms of cpu or latency

3) A huge percentage of the sites I regularly visit ARE signed.

At least one criticism, now thoroughly eliminated by existence proof,
is that you can't run dnssec on the edge, and the problems that it
causes are mostly invisible - as are the benefits - as it should be.
The author of that post is more than welcome to try it for himself,
day in, day out, as we have.

 I would appreciate any pointers to
 discussions refuting
 the points made in the blog post above. If the points made in the blog
 post stand
 there would not be any reason to include DNSSEC in the openwireless
 router. So,
 I am looking for counterpoints that might establish that DNSSEC could have
 value.


 This talk doesn't refute the problems with DNSSEC, but rather reinforces
 them.

 Dan Bernstein: Authenticating The Whole Internet on Vimeo
 http://vimeo.com/18417770

 Worth a watch

 Dan Kaminsky's response - http://dankaminsky.com/2011/01/05/djb-ccc/

 Personally I'm a fan of DNSChain over DNSSEC - https://okturtles.com/

The debate has gone on 15 years. Alternative proposals need to be viable
enough to merit rollout... which, lacking consensus, would take another 15
years.

Certainly I would like to see DNS replaced with something better, and I
am willing to work towards that goal... but given a choice whether to
deploy dnssec more fully or not, I'd choose deployment.
 ___
 Ow-tech mailing list
 ow-t...@lists.eff.org
 https://lists.eff.org/mailman/listinfo/ow-tech



-- 
Dave Täht

thttp://www.bufferbloat.net/projects/bloat/wiki/Upcoming_Talks

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014

[Dave Taht]

I was able to lock up this version of dnsmasq twice: 100% cpu usage.
No syscalls were visible from strace during the lockup. Lockups
occurred once on nearly at boot, and the second time, after a few
hours of casual usage, with only ipv6 upstreams, on cero-3.10.50-1.

furthermore, the only thing that kills it is a kill -9. I will build a
non-stripped version in the morning... (and I do note that I was
testing two things - one ipv6 upstreams only, and two, dnssec. Prior
to this version I was using both ipv4 and ipv6 upstreams, no issues,
had dnssec on also, usually no issues)

Other suggestions for debugging the causes of a lockup requested (log
all queries?)

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014

[Dave Taht]

I strongly suspect an ipv6 fragmentation handling bug in the kernel
version cerowrt uses. Have tons of evidence pointing to that now,
starting with some tests run last year from iwl and also the tests
that netalyzer was doing. And: I just locked up the box completely
while doing some dnssec stuff.

will go through kernel git logs and see what has happened there since 3.10.50.

Turning on the edns-packet-max feature now, however, as I lack time to
poke into this in more detail, and we're supposed to be testing dnssec
as it is

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014

[Dave Taht]

Wow, this thread goes back a ways. Is ds.test-ipv6.com still
configured wrong, and does it pass now? It passes for me (but I am
behind a more modern openwrt box right now)

Is there another site that demonstrates this problem?

BTW: For a while there (on comcast), in production, I ran with pure
ipv6 for dns (it reduced ipv4 nat pressure significantly!), but it
hung after a few days and I never got back to it. Were any problems
like this experienced and/or fixed for dnsmasq in the past 8 months or
so?

Anyway... enough incremental fixes have landed all across the board in
openwrt, and the chaos calmer process seems to have settled down
enough, to consider doing an entirely updated cerowrt based on 3.14
and pushing things like dnsmasq further forward...

... but I, personally, am still, not in the position to easily build
and test a new dnsmasq package for cerowrt and have no funding or time
for further development based on chaos calmer. Hopefully someone else
in the openwrt or cerowrt world can take up the slack. I see that
several bleeding edge sub-distros of openwrt have also emerged on
their forums...

(Yet I will still try to produce a test dnsmasq version from the
cerowrt-3.10 tree but I doubt it would be safe to do an opkg update
for it.)

On Thu, Jan 8, 2015 at 8:34 AM, Simon Kelley si...@thekelleys.org.uk wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 OK, it's taken some time, but with this insight, I've recoded the
 relevant stuff to look for the limits of the signed DNS tree from the
 DNS root down. That's clearly the correct way to do it, and should
 avoid the original problem here, caused by sending DNSSEC queries  to
 DNSSEC-unaware servers in the unsigned parts of the tree.

 This was quite a big change, and it could do with some serious
 testing. Available now on the dnsmasq git repo, or as 2.73test3 in a
 tarball.

 There are other DNSSEC fixes in there too, Check the changelog.


 Cheers,

 Simon.


 On 04/10/14 22:45, Anders Kaseorg wrote:
 On Fri, 3 Oct 2014, Anders Kaseorg wrote:
 secure no DS means that the original unsigned answer should be
  accepted, except that it shouldn't. There's no way to
 distinguish between secure lack of DS because we've reached an
 unsigned branch of the tree, and secure lack of DS because
 we're not at a zone cut, except if we know where the zone cuts
 are, and we don't.

 Having just looked through RFC 5155 for clues: isn’t that the
 purpose of the NS type bit in the NSEC3 record?  In this example,
 DS university would give an NSEC3 record with the NS bit clear.
 That signals that we should go down a level and query DS campus.
 In this case we find a signed DS there.  But if we were to find
 an NSEC3 with the NS bit set, then we’d know that we’ve really
 found an unsigned zone and can stop going down.

 Aha: and this is exactly the answer given at
 http://tools.ietf.org/html/rfc6840#section-4.4 .

 Anders

 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1

 iQIcBAEBCAAGBQJUrrGDAAoJEBXN2mrhkTWitZ0P/1T8AaAAlcgI6Z9oDXBGKR+Q
 gw0E0bUcmMsvOf5YepR4jqNqonMYBDEv5aSx4EG13LEYBdEekVjUWlakcTSFGCCH
 r4bx91XmxZBBSjBM2UNRd4B/dGY34YydbjPFnV/Mmzv5FdUzmVxG3PRQ3E0EyyLp
 Eczm+s0Dxz4pGzEINhFHZ6T8sByDeSjAb3adBNidofKFSevwIv/iOMOQJ5moQfem
 VkY+azpFzSmpdeNpIU+uboMfcg4jhFpVU3WRr7umTmLc0KOus1j7ao9GxSujPQHo
 S7q+IwSwKHUPMEeEmQh+j7yJ2seweGuqGl0quWkHaqGUIOh2C2E756qZfXeenUcv
 ia00dcKmpCYi0Ay3nXdgIq91aRwc78GsR93MEBTuvJwDmAUDupsbZMdlA/3D6tOd
 ZTREvBmxkFz/QYOo731N/JzdaflQeLUrNPIwRJKpYFW9caotiJ3EiihRGrqrjHBk
 a7h8QXy8bQKxc3G0LLKlJNIkxApnNzG6YGSmD6t9bzRPn/sSqar0Ws0IIYd5nYDv
 hB4ggfpHvrnEbke4lkfoEBLbJmFFcnSngJh7oDCMT6XEpqeUH7HT0RmYEncnbH1C
 9ZRpzUlzxyhZawjBbXWQBNmxhT2Z/KFYkLUkKMPnb060CBtn8DwlkZ22b2dqOvH8
 TeRUKySnx6ieH+55fjG4
 =CehB
 -END PGP SIGNATURE-



-- 
Dave Täht

thttp://www.bufferbloat.net/projects/bloat/wiki/Upcoming_Talks

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014

[Dave Taht]

OK, I built this latest dnsmasq as a test for cerowrt-3.10-50 users:

login to the router
cd /tmp
wget 
http://snapon.lab.bufferbloat.net/~cero2/dnsmasq/dnsmasq-full_2.73-3_ar71xx.ipk
opkg install ./dnsmasq-full_2.73-3_ar71xx.ipk
(ignore the warnings about not overwriting several files)

I did a few tests on the former dnssec problematic sites and
everything looked kosher. As for the variety of the dnssec testing web
sites about half seem down or mis-behaving. Sigh. the ongoing
costs of keeping core internet test tools going strikes again...

In an orgy of self-flagellation, and *only because I have native ipv6*
I also turned off dns queries over ipv4 entirely (this is option
peerdns '0'  in /etc/config/networks on cerowrt's ge00 config), and
will pound on it a few days/weeks. I send this email prior to actually
trying that, however


On Thu, Jan 8, 2015 at 10:07 AM, Simon Kelley si...@thekelleys.org.uk wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256



 On 08/01/15 17:44, Dave Taht wrote:
 Wow, this thread goes back a ways. Is ds.test-ipv6.com still
 configured wrong, and does it pass now? It passes for me (but I am
 behind a more modern openwrt box right now)

 ds.test-ipv6.com is still showing the same behaviour it was back in
 April (!) as far as I can see.

My bad. The modern openwrt I am behind does not have the dnsmasq-full
package installed.

 Queries to test-ipv6.com (which is what
 tripped up Jim in the first place) work fine on the latest dnsmasq,
 code, forwarding to 8.8.8.8


 Is there another site that demonstrates this problem?

 There were three in Aaron Wood's original posting (subject: Had to
 disable dnssec today)

 - - Bank of America (sso-fi.bankofamerica.com)
 - - Weather Underground (cdnjs.cloudflare.com)
 - - Akamai (e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net)


 All three work for me with the new code. I didn't try old dnsmasq, to
 see if the repair was from that or the DNS configuration.


 BTW: For a while there (on comcast), in production, I ran with
 pure ipv6 for dns (it reduced ipv4 nat pressure significantly!),
 but it hung after a few days and I never got back to it. Were any
 problems like this experienced and/or fixed for dnsmasq in the past
 8 months or so?


 http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=5782649ad95382dd558df97b33b64e854d8789fb

 is a possible candidate.

K.

 Anyway... enough incremental fixes have landed all across the board
 in openwrt, and the chaos calmer process seems to have settled
 down enough, to consider doing an entirely updated cerowrt based on
 3.14 and pushing things like dnsmasq further forward...

 ... but I, personally, am still, not in the position to easily
 build and test a new dnsmasq package for cerowrt and have no
 funding or time for further development based on chaos calmer.
 Hopefully someone else in the openwrt or cerowrt world can take up
 the slack. I see that several bleeding edge sub-distros of openwrt
 have also emerged on their forums...

 (Yet I will still try to produce a test dnsmasq version from
 the cerowrt-3.10 tree but I doubt it would be safe to do an opkg
 update for it.)

 There shouldn't be any non backwards-compatible changes in dnsmasq to
 bite you. Don't know about other stuff.

So far so good.



 Cheers,

 Simon.



 On Thu, Jan 8, 2015 at 8:34 AM, Simon Kelley
 si...@thekelleys.org.uk wrote: OK, it's taken some time, but with
 this insight, I've recoded the relevant stuff to look for the
 limits of the signed DNS tree from the DNS root down. That's
 clearly the correct way to do it, and should avoid the original
 problem here, caused by sending DNSSEC queries  to DNSSEC-unaware
 servers in the unsigned parts of the tree.

 This was quite a big change, and it could do with some serious
 testing. Available now on the dnsmasq git repo, or as 2.73test3 in
 a tarball.

 There are other DNSSEC fixes in there too, Check the changelog.


 Cheers,

 Simon.


 On 04/10/14 22:45, Anders Kaseorg wrote:
 On Fri, 3 Oct 2014, Anders Kaseorg wrote:
 secure no DS means that the original unsigned answer
 should be accepted, except that it shouldn't. There's no
 way to distinguish between secure lack of DS because
 we've reached an unsigned branch of the tree, and secure
 lack of DS because we're not at a zone cut, except if we
 know where the zone cuts are, and we don't.

 Having just looked through RFC 5155 for clues: isn’t that
 the purpose of the NS type bit in the NSEC3 record?  In
 this example, DS university would give an NSEC3 record with
 the NS bit clear. That signals that we should go down a
 level and query DS campus. In this case we find a signed DS
 there.  But if we were to find an NSEC3 with the NS bit
 set, then we’d know that we’ve really found an unsigned
 zone and can stop going down.

 Aha: and this is exactly the answer given at
 http://tools.ietf.org/html/rfc6840#section-4.4 .

 Anders




 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1

Re: [Dnsmasq-discuss] [homenet] sorting out the right ipv6 addr to choose and name in a source specific world

[Dave Taht]

On Thu, Dec 18, 2014 at 2:06 PM, Brian E Carpenter
brian.e.carpen...@gmail.com wrote:
 On 19/12/2014 04:07, Michael Richardson wrote:

I am way behind on my mail (this thread) and will be away for the holidays.

Merry Christmas, everyone, and to all a happy new year!

 Dave,
 my take is that applications, and the entire gai.conf/getaddrinfo() library
 is broken.  Applications can neither be updated nor be trusted to know enough
 about the system to be able to make a proper decision.

I concur. Also other apis dating from the 70s, like sendmsg,getmsg,
and the new sendmmsg,getmmsg are a real pita to use, but increasingly
of interest to the webrtc, quic, and brave new post-tcp udp-only
world.

 Somewhere, someone was working on a new connect(2) call that took FQDNs
 rather than sockaddr's, such that the kernel could take ownership of this
 problem.

 I suppose you are thinking of Name Based Sockets:
 http://tools.ietf.org/html/draft-ubillos-name-based-sockets

 It's dead, as far as I know.

It's not dead, it's resting!

The kernel work is not that out of date (3 years). Why did progress stop?

https://github.com/namebasedsockets

I for one would really like names to get more closely tied to numbers...


 (Of course, actually solving the problem in a kernel is probably the
 wrong answer).
 What is necessary is some new infrastructure inside the box which becomes
 standardized (like sockets API was), with some daemon that thinks about the
 best source addresses is, and possibly gets involved with routing protocols.
 (I'm told that OSX has a sophisticated state machine that combines DHCP and
 1x, and wifi... it sounds like it could be the start of such a thing)

Openwrt had to go to very tightly integrated internal messaging API in
order to get all of the newly mandated dynamicsm in ipv6 sort of taken
care of, and that still isn't quite working right.

Yes, looking over OSX would be a good idea.


 I think that shim6 and mptcp are answers in this equation.

 shim6 has, I'm told, deployment issues which make me very very sad.

 Like, it cannot get through most firewalls.

I would like to test it against modern firewalls.


 mptcp, I'm told, is likely to show up in Apple and Google products and
 infrastructure, and my idea (and many others) is that you don't always have
 to pick the perfect address for the SYN, just one that works, but rather one
 can add better addresses as one discovers them.

 But bad luck if you need UDP.

Meh. The world is seemingly moving to userspace networking anyway.


 Some form of intelligent probing does seem to be the answer,
 but certainly that needs to be generic because we cannot expect
 all apps developers to reinvent it. That's one reason we wrote
 http://tools.ietf.org/html/draft-naderi-ipv6-probing recently.

Brian




-- 
Dave Täht

thttp://www.bufferbloat.net/projects/bloat/wiki/Upcoming_Talks

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] sorting out the right ipv6 addr to choose and name in a source specific world

[Dave Taht]

I have been wrestling with prefix coloring, where choosing a best
prefix would be of use in (for example) reducing the problems induced
by happy eyeballs when more than one ipv6 prefix is present and
several other scenarios.

There are many parts to this - one is in addressing, the other in DNS,
and this is not dnsmasq specific but kind of general.

* gai.conf

Does anyone have a better gai.conf file or getaddrinfo implemention
out there?

This is the closest I've found to what I sort of think I want.

http://biplane.com.au/blog/?p=122

* hints for addressing?

I will start with the complex scenario - I have three primary
connections to the internet (one is hardline, one is 5 hops away on a
source specific gateway to elsewhere, the last LTE), with slaac, dhcp,
and privacy addresses assigned for each, a ula for internal addressing
(with possibly slaac, dhcp, and privacy addresses), and a vpn (also on
a ula). What the heck, let's throw in a hip address, also. And... why
not? A legacy ipv6 tunnel from hurricane, a 2002:address for 6to4

The ideal scenario is where the host app picks the best address for
each connection type, and I am a little vague on what actually
happens. What my backbrain (but not RFC 3484 - is there a later rfc
for what gai.conf should do?) says should happen is that the host
should pick the shortest prefix match between source and destination.
Well, it turns out this breaks down - my tunnel is a 2001::address,
and my native ipv6 connection is a 2600::address, and my destination
(being on the legacy internet), is a 2001::address, so things tend
to pick the tunnel rather than the native address. A differentiation
between these is that I have a different MTU for each. Another is how
these addresses are acquired - the main address comes from dhcpv6,
tunnel from a he speciifc script, the source specific gateway comes
from hnet, the lte address is pppoe

And worse, the best address is dynamic and changes every week, and
on reboots, (this just happened to me and I went nuts flushing old
ipv6 addrs everywhere, since I lack hnetd) and caching it or using it
internally is a bad idea when a static ULA or more static tunnel addr
is available,

The LTE connection costs money to use, and is definately secondary
in intent, and I can see supplying that via ra as secondary. I can
also see treating almost all the others as secondary also, but it
probably would be nice to have the nearly equal cost hnetd supplied
prefix have a chance at being used occasionally.

and, sigh, the ip route command has no ability currently to set
secondary on an address.

* In terms of DNS

spitting all these into a single DNS record strikes me as insane.
However, having more than one visible address per dns entry strikes me
as desirable. Certainly a dhcp supplied address should end up in dns,
and dnsmasq also has a mechanism to put slaac assigned address into
dns.

putting the ULA in the local dns is actually desirable when you have split dns.

Perhaps having a subdomain per address type? dave.lte.home.lan
dave.slaac.home.lan dave.dhcp.home.lan?

I am not offering any solutions here, just sharing a headache. There
are some other basic problems like setting a default src address on a
default route in this scenario that are giving me headaches in the
source specific universe...

* In terms of being a host and selecting the

for example, I think linux presently choses the last assigned static
address as it's default source, and that can be overridden with stuff
like:

ip -6 route add default via 2001:db8::1 dev ethic src 2001:db8::abcd

but it is not done today, and is not always the correct thing. I add a
vpn address last in my case.

What I see happening now is distributing source specific routes to
hosts doesn't work, if you merely have

default from 2001:558:6045:bd:8dcc:5e18:dd54:b31c via
fe80::6eb0:ceff:fe0b:e2ab dev eth0  proto babel  metric 1024
default from 2601:9:3640::/60 via fe80::6eb0:ceff:fe0b:e2ab dev eth0
proto babel  metric 1024

and no broader default, the right thing doesn't happen for source
address selection on the host. You end up with no ipv6 connectivity at
all until you add something like this

default via fe80::6eb0:ceff:fe0b:e2ab dev eth0  metric 1024

or this

default from :: via fe80::4a1:51ff:fea3:1304 dev eth0.2  proto babel
metric 1024 (different machine)

to get something that works.


On Mon, Dec 1, 2014 at 2:17 PM, Simon Kelley si...@thekelleys.org.uk wrote:
 On 01/12/14 18:49, Michael Gorbach wrote:
 On Nov 30, 2014, at 11:17 AM, Simon Kelley si...@thekelleys.org.uk
 wrote:

 On 29/11/14 19:18, Michael Gorbach wrote:
 Hi All,

 I've got a question and potential enhancement request. It looks
 like right now, the (very useful) interface-name feature pulls
 all (global) addresses from the interface. One of my machines
 uses IPv6 privacy extensions (known in Linux as use_tempaddr),
 which means that in addition to link-local and permanent global
 addresses, it has a rotating cast of ~ 5 

Re: [Dnsmasq-discuss] Trying to get hnetd working, trying to get distributed dns better

[Dave Taht]

On Mon, Nov 24, 2014 at 1:25 PM, Simon Kelley si...@thekelleys.org.uk wrote:
 On 23/11/14 17:16, Dave Taht wrote:
 I setup a bunch of picostations running openwrt barrier breaker to try
 and get hnetd working, some details here:

 https://plus.google.com/u/0/107942175615993706558/posts/jV9WJyEYGGP

 Ran into problems also with getting reverse dns to work right.



 You're doing stuff like rev-server=172.23.2.0/23,172.23.2.1
 but the reverse zone isn't trivially representable as an in-addr.arpa
 zone unless the prefix length is divisible by 8

 2.23.172.in-addr.arpa corresponds with 172.23.2.0/24, but what's the
 equivalent for 172.23.2.0/23

172.23.2.0/24
172.23.3.0/24

But yes, I had forgotten how reverse dns lookups worked in the general
case, and will try distributing a file with the /24s broken out.

Thanks!

 You can do nasties with cnames, but rev-server doesn't. It also doesn't
 seem to error if size%8 != 0, which is bad.

However, I would argue that the correct dnsmasq behavior should be to
break it up into /24s internally, whenever possible, and to retain the
expressive simplicity of being able to specify other prefix lengths.



 Cheers,

 Simon.






-- 
Dave Täht

thttp://www.bufferbloat.net/projects/bloat/wiki/Upcoming_Talks

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] rebind-protection vs servers-file

[Dave Taht]

On Mon, Nov 24, 2014 at 1:02 PM, Simon Kelley si...@thekelleys.org.uk wrote:
 On 22/11/14 23:06, Dave Taht wrote:
 I have been fiddling with improving my internal dns, by creating a
 file that has all my internal dns servers in it that I can easily copy
 everywhere.

 Example serversfile.

 server=/rossow.r.lupinlodge.org/172.23.143.9
 rev-server=172.23.8.0/23,172.23.143.9

 server=/lodge.r.lupinlodge.org/172.23.143.7
 rev-server=172.23.6.0/23,172.23.143.7

 and Adding the one line of parsing needed in openwrts dnsmasq script...

 with rebind-protection enabled I get an error if trying to ping
 rossow.r.lupinlodge.org

 with it disabled, it does the right thing.

 Will fiddle some more


 So dnsmasq is forwarding the query for rossow.r.lupinlodge.org and
 getting an RFC 1918 address back as the answer? That will trigger the
 rebind protection, which does nothing more than disallow RFC1918
 addresses in answers from upstream servers; it's not very bright. As far
 as I can see, rebind protection is fundamentally incompatible with the
 network-of-dnsmasq instances you're experimenting with, since RFC1918
 addresses as answers from other dnsmasq instances are required.

I had figured that specifying these in the serversfile would override
the basic rebind protection for these ips.



 Cheers,

 Simon.

 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
Dave Täht

thttp://www.bufferbloat.net/projects/bloat/wiki/Upcoming_Talks

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] Trying to get hnetd working, trying to get distributed dns better

[Dave Taht]

I setup a bunch of picostations running openwrt barrier breaker to try
and get hnetd working, some details here:

https://plus.google.com/u/0/107942175615993706558/posts/jV9WJyEYGGP

Ran into problems also with getting reverse dns to work right.

I think I should switch to blogging this stuff rather than g+. It
would let me draw pretty pictures of all this complexity.

-- 
Dave Täht

http://www.bufferbloat.net/projects/bloat/wiki/Upcoming_Talks

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] rebind-protection vs servers-file

[Dave Taht]

I have been fiddling with improving my internal dns, by creating a
file that has all my internal dns servers in it that I can easily copy
everywhere.

Example serversfile.

server=/rossow.r.lupinlodge.org/172.23.143.9
rev-server=172.23.8.0/23,172.23.143.9

server=/lodge.r.lupinlodge.org/172.23.143.7
rev-server=172.23.6.0/23,172.23.143.7

and Adding the one line of parsing needed in openwrts dnsmasq script...

with rebind-protection enabled I get an error if trying to ping
rossow.r.lupinlodge.org

with it disabled, it does the right thing.

Will fiddle some more

-- 
Dave Täht

thttp://www.bufferbloat.net/projects/bloat/wiki/Upcoming_Talks

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] dnsmasq deployed with dnssec

[Dave Taht]

on cerowrt (ALONG with all the fq_codel, and ipv6 chocolately goodness)


http://n1.netalyzr.icsi.berkeley.edu/summary/id=43ca253f-2477-6d1fcde4-650e-45fa-8551

dnssec. working. after 12 years.

/me happy

THANK YOU SIMON FOR THIS IMPORTANT WORK!

(I am puzzled about the edns0 result, tho.)

-- 
Dave Täht

https://www.bufferbloat.net/projects/make-wifi-fast

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Suggested configuration best practices for home net with dynamic ipv6 prefix?

[Dave Taht]

On Mon, Sep 22, 2014 at 5:49 AM, Stephen Riehm dnsm...@opensauce.de wrote:
 Hi,

 I'm wondering if there are some 'typical' or 'best practice'
 configuration norms for configuring dnsmasq to provide A and 
 DNS lookups for unqualified and qualified hostnames in an ipv6 home
 network without a static ipv6 prefix?

 Some things which are causing me headaches are:

 My ISP gives me a new ipv4 address and ipv6 prefix whenever my router 
 re-connects (daily).
 (6to4 dual stack, ipv6 prefix = 2002:ipv4/56)

 My router (fritzbox) provides DHCPv6 however it insists on using the domain 
 name
 fritz.box. and the name resolution seems to be very flakey. I'm hoping to 
 replace
 the router's DNS  DHCP services with dnsmasq on a separate server (freebsd).

OpenWrt tackled a lot of these problems with barrier breaker.

So has the homenet working group of the ietf.

 I would like to access some of my servers via ipv6 from the internet, but not 
 others.
 (idea: add an NS record to my ISP's configuration, specifying my dnsmasq 
 server as
 the authoritative server for my sub-domain - arguments pro / contra?
 I can access my network via dyndns  ipv4 just fine)

 There seems to be a plethora of components required to get all this right,
 any insights would be greatly appreciated! (I've read through the man pages 
 and
 they all seem to overlap - I'm a programmer but not a network expert, there's
 lots of networking terms  acronyms in the man pages that I don't fully 
 understand)

 For example, assuming dnsmasq is running on a host in my local network:

 Router configuration (fritzbox provides the following options):
 Define a Unique Local Address? (fd00::... - currently off)
 Should the DHCPv6 in the router be on?
 with IA_PD? (prefix delegation? That's a good thing for me, 
 right?)
 with IA_PD and IA_NA?
 or DHCPv6 turned off in the router and:
 O-Flag?
 O- and M-Flags?

 On the dnsmasq server:
 should rtsold be running?
 and rtadvd?
 and radvd?
 does 'enable-ra' cover these?

 can dnsmasq detect a (new) host's autoconfigured ipv6 address and add 
 the name to its DNS tables? if so, how?
 I tried using all combinations of ra-names, ra-stateless, slaac with 
 dhcp-range=::,constructor:em0
 but none worked.
 I figure this could have something to do with the following from the 
 dnsmasq manpage:

 Note that just any address on eth0 will not do: it must not
 be an autoconfigured or privacy address, or be deprecated.

 However, my global address *is* autoconfigured - what else could I 
 try?
 Is there a way to substitute today's ipv6 prefix into the 
 dhcp-range somehow?

 I have domain=example.com., local=/example.com./ and 
 auth-zone=example.com.,em0
 Do I need all three?

 My hope was to continue using auto-configuration on all of the hosts 
 (mac,linux,bsd,mobile devices),
 but having them all reference a single DNS server for their fully qualified 
 domain name and
 NS lookups.

 Or am I missing something obvious?

 Thanks in advance,

 Steve
 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
Dave Täht

https://www.bufferbloat.net/projects/make-wifi-fast

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] OpenWRT, modem restarts and lost dhcp leases

[Dave Taht]

The simplest thing to do is merely move the dhcp leases file to
persistent storage, if you are willing to live with the long term
failure mode of flash becoming less long term. I don't honestly know
the cycle lifetime of low end flash chips anymore - it was very bad
when they first came out but has improved dramatically in the last 10
years.

On Fri, Aug 22, 2014 at 11:39 AM, Anatol Pomozov
anatol.pomo...@gmail.com wrote:
 Hi

 This is a follow-up for a discussion that I had in systemd maillist
 [1]. Here is description of the problem:

 I have a router (Archer C7 V2) where I use patched version of OpenWRT.
 It uses dnsmasq as a dhcp server for my local network. OpenWRT uses a
 file on tmpfs to store the dhcp leases. When I reboot modem the files
 on tmpfs are lost and dnsmasq needs to build the dhcp lease database
 from anew. All the machines that are connected directly to the modem
 (via cable or via wifi) work fine here - they notice that data link
 went down and when it gets back they update DHCP information.

 The problem is when some machine is located in a different network
 segment. In this case the data layer stays healthy, machine does not
 notice anything wrong with the network and dhcp client does not update
 DHCP lease at the router. So I cannot ping my machine by the name
 anymore, pinging by ip works fine. To update the lease I need to power
 cycle the ethernet switch that serves that network segment. But of
 course it is not the best solution.

 So my question what is the solution for such problem? Should dnsmasq
 ask on start all the machines to update their dhcp leases? Is it what
 FORCERENEW option is? I see that FORCERENEW is not implemented in
 dnsmasq.

 [1] 
 http://lists.freedesktop.org/archives/systemd-devel/2014-August/022363.html

 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
Dave Täht

NSFW: 
https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] mdns support

[Dave Taht]

As an outgrowth of the ietf homenet working group, the homewrt folk
are attempting to blend together mdns, an mdns proxy, and improved
address allocation schemes with dnsmasq in openwrt. They could use
some more testers, coders, and help in general. I have long planned to
integrate their work in cerowrt, and ultimately, I hope their work
lands in openwrt and other operating systems.

I would certainly like it if everything hung together tighter than it
does at the moment.

Homwrt folk can be found on #hnet-hackers on irc.

The website is:

http://www.homewrt.org/

and the relevant drafts are on the dnssd and homenet wg pages.

http://tools.ietf.org/wg/homenet/

http://datatracker.ietf.org/wg/dnssd/

I view (in the coming ipv6 era) getting addressing, naming, and
resource discovery right as pretty darn important, and the present
state of things is abominable... this appears to be a start towards
re-integrating mdns with regular dns:

http://tools.ietf.org/html/draft-cheshire-mdnsext-hybrid-02


On Thu, Jun 19, 2014 at 12:35 PM, Vasiliy Tolstov v.tols...@selfip.ru wrote:
 2014-06-19 14:25 GMT+04:00 Tomas Hozza tho...@redhat.com:
 From what I remember there was some discussion [1] in the past,
 but not really any final decision...

 [1] 
 http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q4/007753.html


 =(. I'm try to use avahi, but it dometimes not work, also i can't
 publish some addresses (process hang). And i thinkg that nss module
 not needed if normal dns server able to do mdns requests.
 Also avahi hardcore timeout for request to 5000msec, and ping
 xxx.local address  that does not have ptr record need every time
 timeout for 5 secods. As i see avahi not maintained (last release more
 than year ago).

 --
 Vasiliy Tolstov,
 e-mail: v.tols...@selfip.ru
 jabber: v...@selfip.ru

 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
Dave Täht

NSFW: 
https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq not working as DNS server for client machines

[Dave Taht]

On May 22, 2014 3:37 PM, Chris Green c...@isbd.net wrote:

 On Thu, May 22, 2014 at 11:08:22PM +0100, Chris Green wrote:
  On Thu, May 22, 2014 at 10:46:46PM +0100, Chris Green wrote:
   I seem to have spoken too soon with my transfer of dnsmasq to a
   different machine.
  
   It's running on my desktop machine which is also an always on server.
   DNS is working fine for the desktop machine itself but it's not
   working for client machines.
  
   DHCP is working though, so clients get an IP address OK and can talk
   to other machines on the LAN if I specify IP addresses rather than
   names.
  
   So how do I diagnose this?  It's on xubuntu 14.04 so it's made a
   little opaque by not being able view 'real' DNS servers anywhere
  
  Sorry about that abrupt end.  Not much to add though.
 
  As a general comment it would be very useful to be able easily to see
  what DNS servers are being used.
 
 ... a little more information.  DHCP clients are getting all the right
 information, e.g. the laptop I'm using at the moment has:-

 IP Address: 192.168.1.125
 Broadcast Address:  192.168.1.255
 Subnet Mask:255.255.255.0
 Default Route:  192.168.1.1
 Primary DNS:192.168.1.4

 The default route is an ADSL router and the primary DNS is my desktop
 server machine running dnsmasq.  So it would appear that dnsmasq isn't
 answering DNS queries rather than it's not doing DHCP correctly.

 It's almost certainly a trivial configuration problem but I can't see
 it at the moment.

Tcpdump is your friend.


 --
 Chris Green

 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014

[Dave Taht]

On Thu, May 1, 2014 at 1:26 PM, Rich Brown richb.hano...@gmail.com wrote:

 On May 1, 2014, at 2:37 PM, Simon Kelley si...@thekelleys.org.uk wrote:

 On 30/04/14 18:26, Dave Taht wrote:
 On Tue, Apr 29, 2014 at 1:57 PM, Phil Pennock
 cerowrt-devel+p...@spodhuis.org wrote:

 snip, snip snip...

 Is the consensus to not run with negative proofs on at this juncture?

 If you want stuff to just work, turn off negative proofs, if you want to
 push the envelope, leave them on and complain to domain-admins.

 I had some feeling that something like this might be a problem, hence
 the discrete controls.

 I apologize that I haven't been following this closely, but so I'm going to 
 ask a TL;DR question.

 Which places in the OpenWrt/CeroWrt GUI (or the config files) do I use to 
 wiggle these levers?

There is no gui support as yet. enablement is via /etc/dnsmasq.conf

I disabled (commented out) the negative proof checks in the 3.10.38-2 release.

 Thanks!

 Rich



-- 
Dave Täht

NSFW: 
https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014

[Dave Taht]

On Tue, Apr 29, 2014 at 1:57 PM, Phil Pennock
cerowrt-devel+p...@spodhuis.org wrote:
 On 2014-04-29 at 14:22 +0100, Simon Kelley wrote:
 secure no DS means that the original unsigned answer should be accepted,
 except that it shouldn't. There's no way to distinguish between secure
 lack of DS because we've reached an unsigned branch of the tree, and
 secure lack of DS because we're not at a zone cut, except if we know
 where the zone cuts are, and we don't.

 Fair point.

 That's why dnsmasq works up from the bottom. The first secure no-DS
 answer we find marks the boundary between signed and unsigned tree.

 Dnsmasq is acting as a validating stub resolver here. That's a supported
 role for DNSSEC, so this must be possible. If it's not then we have a
 standards problem.

 You have a standards vs reality problem: lots of loadbalancer appliances
 suck at DNS and are only just now managing to return errors, instead of
 dropping the query (hanging), when queried for  records instead of A
 records.

 ( This has led to no end of pain in the IPv6 world; Happy Eyeballs,
   expectations around improved _client_ behaviour, handle other parts of
   the puzzle and tends to require the concurrency that a client also
   needs to handle DNS problems, but it's still distinct. )

 You're not going to get such loadbalancers responding sanely to a DS
 query any time soon, and with the other DNS client software all being
 recursors which work fine because they know where zone cuts are, you're
 going to be fighting a long hard battle with vendors and sites to get
 them to fix their brokenness when it works for everyone else.

 So the standards 100% support what you're doing, but they don't match
 common stupidity in deployed (high end, expensive) equipment.

The only idea I have is to adopt some sort of whitelisting technology,
and simultaneously nag the folk with busted implementations.


 To support DNSSEC in the real world without changing from being a
 forwarder, you're going to need new insight.  My only thoughts are
 around whether or not this might provide impetus for TKEY-based TSIG for
 forwarders to establish trust links to recursors elsewhere, in which
 case once you have a TSIG key (whether TKEY-derived or OOB manual) then
 you might delegate trust to the remote recursor.

I see there have been a few commits to dnsmasq that address some stuff.


 Sorry to be the bearer of bad news,

I'm delighted to have got this far.

Is the consensus to not run with negative proofs on at this juncture?

 -Phil



-- 
Dave Täht

NSFW: 
https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014

[Dave Taht]

On Mon, Apr 28, 2014 at 9:55 AM, Jim Gettys j...@freedesktop.org wrote:

 ​​Comcast recently lit up IPv6 native dual stack in the Boston area.

 The http://test-ipv6.com/ web site complains about DNS problems unless
 dnssec is disabled; if it is, I get various timeouts.



 Test with IPv4 DNS record
 ok (4.196s)
 Test with IPv6 DNS record
 ok (0.115s) using ipv6
 Test with Dual Stack DNS record
 timeout (11.882s)


I  don't  know what this test does. try a local query over ipv6?

Test for Dual Stack DNS and large packet
 timeout (11.817s)
 Test IPv4 without DNS
 ok (0.214s) using ipv4
 Test IPv6 without DNS
 ok (0.204s) using ipv6
 Test IPv6 large packet
 ok (0.120s) using ipv6
 Test if your ISP's DNS server uses IPv6
 slow (8.752s)
 Find IPv4 Service Provider
 timeout (11.968s)
 Find IPv6 Service Provider
 ok (0.126s) using ipv6 ASN 7922
 Test for buggy DNS
 undefined (5.003s)

 DNS server addresses look reasonable for Comcast.
 DNS 1: 75.75.75.75
 DNS 2: 75.75.76.76


To try to isolate  things a little  bit, you can turn off fetching ipv4 dns
servers
with

option peerdns  '0'

in the wan (ge00) stanza  of /etc/config/network

and let the wan6 stanza fetch them.

A packet capture of it working vs not working would be good.

tcpdump  -i ge00 -w cap1.cap port 53

Also  capture on the local interface.

DNS 1: 2001:558:feed::1
 DNS 2: 2001:558:feed::2

 Today, the problem seems consistent with turning dnssec on and off on the
 router.  If enabled, I have problems; if disabled, I get a clean bill of
 health out of test-ipv6.com.
  - Jim


 ___
 Cerowrt-devel mailing list
 cerowrt-de...@lists.bufferbloat.net
 https://lists.bufferbloat.net/listinfo/cerowrt-devel




-- 
Dave Täht

NSFW:
https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014

[Dave Taht]

I have put a link up to two of jim's captures going to test-ipv6 via cero,
one with dnssec enabled, captured at the local laptop

http://snapon.lab.bufferbloat.net/~cero2/baddns/

definately a lot of missing responses when captured at this end. the local
laptop is using a local dnsmasq forwarder.

It is falling back to trying a recursive lookup on the default domain (
ipv6.test-ipv6.com.home.lan ) - which it does do a nxdomain for
immediately...



On Mon, Apr 28, 2014 at 10:03 AM, Dave Taht dave.t...@gmail.com wrote:




 On Mon, Apr 28, 2014 at 9:55 AM, Jim Gettys j...@freedesktop.org wrote:

 ​​Comcast recently lit up IPv6 native dual stack in the Boston area.

 The http://test-ipv6.com/ web site complains about DNS problems unless
 dnssec is disabled; if it is, I get various timeouts.



  Test with IPv4 DNS record
 ok (4.196s)
 Test with IPv6 DNS record
 ok (0.115s) using ipv6
 Test with Dual Stack DNS record
 timeout (11.882s)


 I  don't  know what this test does. try a local query over ipv6?

  Test for Dual Stack DNS and large packet
 timeout (11.817s)
 Test IPv4 without DNS
 ok (0.214s) using ipv4
 Test IPv6 without DNS
 ok (0.204s) using ipv6
 Test IPv6 large packet
 ok (0.120s) using ipv6
 Test if your ISP's DNS server uses IPv6
 slow (8.752s)
 Find IPv4 Service Provider
 timeout (11.968s)
 Find IPv6 Service Provider
 ok (0.126s) using ipv6 ASN 7922
 Test for buggy DNS
 undefined (5.003s)

 DNS server addresses look reasonable for Comcast.
 DNS 1: 75.75.75.75
 DNS 2: 75.75.76.76


 To try to isolate  things a little  bit, you can turn off fetching ipv4
 dns servers
 with

 option peerdns  '0'

 in the wan (ge00) stanza  of /etc/config/network

 and let the wan6 stanza fetch them.

 A packet capture of it working vs not working would be good.

 tcpdump  -i ge00 -w cap1.cap port 53

 Also  capture on the local interface.

 DNS 1: 2001:558:feed::1
 DNS 2: 2001:558:feed::2

 Today, the problem seems consistent with turning dnssec on and off on the
 router.  If enabled, I have problems; if disabled, I get a clean bill of
 health out of test-ipv6.com.
   - Jim


 ___
 Cerowrt-devel mailing list
 cerowrt-de...@lists.bufferbloat.net
 https://lists.bufferbloat.net/listinfo/cerowrt-devel




 --
 Dave Täht

 NSFW:
 https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article




-- 
Dave Täht

NSFW:
https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014

[Dave Taht]

I see A and  requests for for ds.test-ipv6.com that fail.


On Mon, Apr 28, 2014 at 11:37 AM, Dave Taht dave.t...@gmail.com wrote:

 I have put a link up to two of jim's captures going to test-ipv6 via cero,
 one with dnssec enabled, captured at the local laptop

 http://snapon.lab.bufferbloat.net/~cero2/baddns/

 definately a lot of missing responses when captured at this end. the local
 laptop is using a local dnsmasq forwarder.

 It is falling back to trying a recursive lookup on the default domain (
 ipv6.test-ipv6.com.home.lan ) - which it does do a nxdomain for
 immediately...



 On Mon, Apr 28, 2014 at 10:03 AM, Dave Taht dave.t...@gmail.com wrote:




 On Mon, Apr 28, 2014 at 9:55 AM, Jim Gettys j...@freedesktop.org wrote:

 ​​Comcast recently lit up IPv6 native dual stack in the Boston area.

 The http://test-ipv6.com/ web site complains about DNS problems unless
 dnssec is disabled; if it is, I get various timeouts.



  Test with IPv4 DNS record
 ok (4.196s)
 Test with IPv6 DNS record
 ok (0.115s) using ipv6
 Test with Dual Stack DNS record
 timeout (11.882s)


 I  don't  know what this test does. try a local query over ipv6?

  Test for Dual Stack DNS and large packet
 timeout (11.817s)
 Test IPv4 without DNS
 ok (0.214s) using ipv4
 Test IPv6 without DNS
 ok (0.204s) using ipv6
 Test IPv6 large packet
 ok (0.120s) using ipv6
 Test if your ISP's DNS server uses IPv6
 slow (8.752s)
 Find IPv4 Service Provider
 timeout (11.968s)
 Find IPv6 Service Provider
 ok (0.126s) using ipv6 ASN 7922
 Test for buggy DNS
 undefined (5.003s)

 DNS server addresses look reasonable for Comcast.
 DNS 1: 75.75.75.75
 DNS 2: 75.75.76.76


 To try to isolate  things a little  bit, you can turn off fetching ipv4
 dns servers
 with

 option peerdns  '0'

 in the wan (ge00) stanza  of /etc/config/network

 and let the wan6 stanza fetch them.

 A packet capture of it working vs not working would be good.

 tcpdump  -i ge00 -w cap1.cap port 53

 Also  capture on the local interface.

  DNS 1: 2001:558:feed::1
 DNS 2: 2001:558:feed::2

 Today, the problem seems consistent with turning dnssec on and off on
 the router.  If enabled, I have problems; if disabled, I get a clean bill
 of health out of test-ipv6.com.
   - Jim


 ___
 Cerowrt-devel mailing list
 cerowrt-de...@lists.bufferbloat.net
 https://lists.bufferbloat.net/listinfo/cerowrt-devel




 --
 Dave Täht

 NSFW:
 https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article




 --
 Dave Täht

 NSFW:
 https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article




-- 
Dave Täht

NSFW:
https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Cerowrt-devel] test-ipv6.com vs dnssec

[Dave Taht]

On Fri, Apr 25, 2014 at 11:49 AM, Simon Kelley si...@thekelleys.org.uk wrote:
 On 25/04/14 19:01, Jim Gettys wrote:
 More specifically, after boot, most of the time test-ipv6.com reports lots
 of problems.

 Then I turned off both dnssec and dnssec-check-unsigned, and restarted
 dnsmasq; clean bill of health from test-ipv6.com.

 Then I turned on dnssec only, leaving dnssec-check-unsigned, and got a
 clean bill of health.

 Then I turned on both at the same time, and things are working.

 So we seem to have a boot time race of some sort.
   - Jim




 test-ipv6.com is unsigned, so the important thing which is likely
 failing is the query for the DS record of test-ipv6.com, which should
 return NSEC records providing it doesn't exist, signed by .com

As one example of a registrar not with the program, name.com
(registrar for bufferbloat.net) does not allow for ds records to
come from it, so that domain can't be fully signed.

So it sounds to me as if negative proofs are not possible with
registrars that lack this support?


 Simon.




 On Fri, Apr 25, 2014 at 1:39 PM, Dave Taht dave.t...@gmail.com wrote:

 jg tells me the test-ipv6.com site fails with dnssec and enabled on
 native ipv6.

 disabling dnssec works.

 anyone can confirm? get a log/packet capture?


 --
 Dave Täht
 ___
 Cerowrt-devel mailing list
 cerowrt-de...@lists.bufferbloat.net
 https://lists.bufferbloat.net/listinfo/cerowrt-devel




 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss





-- 
Dave Täht

NSFW: 
https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Cerowrt-devel] Had to disable dnssec today

[Dave Taht]

On Sat, Apr 26, 2014 at 4:38 AM, Aaron Wood wood...@gmail.com wrote:
 Just too many sites aren't working correctly with dnsmasq and using Google's
 DNS servers.

After 4 days of uptime, I too ended up with a wedged cerowrt 3.10.36-6 on wifi.

The symptoms
were dissimilar from what has been described here - I was seeing odhcpd
trying to and failing to answer requests on the wifi interfaces, which I'd never
seen in operation before (and could have been a self-induced failure by
fiddling with hnetd)

I have merged with openwrt head, which has some hostapd and routing fixes,
as well as dnsmasq head which has some dnssec lookup fixes...
and put out cerowrt-3.10.36-7. On first boot, it had problems getting anything
on wifi to do dhcp. A reboot later (with multicast 9000 also disabled),
a kindle that was failing to get online did. This box has also never got
upstream dns servers right from the isp. I'll fiddle with the multicast thing
later, to see if that or the reboot fixed it.

With this dnssec with dnssec-check-unsigned, once time is correct:

 - Bank of America (sso-fi.bankofamerica.com)

still fails. It ain't our fault it's broke.

 - Weather Underground (cdnjs.cloudflare.com)

succeeds.

 - Akamai (e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net)

succeeds.

 http://test-ipv6.com/

don't have ipv6 capability at this location, so this succeeds. I did see
it fail once on the first boot but haven't repeated it.


 And I'm not getting any traction with reporting the errors to those sites,
 so it's frustrating in getting it properly fixed.

There needs to be constant network wide scanning service of some kind
to detect dnssec configuration errors.


 While Akamai and cloudflare appear to be issues with their entries in google
 dns, or with dnsmasq's validation of them being insecure domains, the BofA
 issue appears to be an outright bad key.  And BofA isn't being helpful (just
 a continual we use ssl sort of quasi-automated response).

Cluebats are needed.

 So I'm disabling it for now, or rather, falling back to using my ISP's dns
 servers, which don't support DNSSEC at this time.  I'll be periodically
 turning it back on, but too much is broken (mainly due to the cdns) to be
 able to rely on it at this time.

don't blame you, but if we weren't beating it up, nobody would be.


 -Aaron



 ___
 Cerowrt-devel mailing list
 cerowrt-de...@lists.bufferbloat.net
 https://lists.bufferbloat.net/listinfo/cerowrt-devel




-- 
Dave Täht

NSFW: 
https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures

[Dave Taht]

What does unbound or bind do?

On Thu, Apr 24, 2014 at 5:35 AM, Aaron Wood wood...@gmail.com wrote:
 And if I use Free.fr's servers, the DS resolves (I'm running CeroWRT
 double-NAT behind a Freebox v6):

 dig @192.168.1.254 DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net

 ;  DiG 9.8.5-P1  @192.168.1.254 DS
 e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 11369
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

 ;; QUESTION SECTION:
 ;e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net. IN DS

 ;; AUTHORITY SECTION:
 cn.akamaiedge.net. 1800 IN SOA n0cn.akamaiedge.net. hostmaster.akamai.com.
 1398342840 1000 1000 1000 1800

 ;; Query time: 39 msec
 ;; SERVER: 192.168.1.254#53(192.168.1.254)
 ;; WHEN: Thu Apr 24 14:34:00 CEST 2014
 ;; MSG SIZE  rcvd: 127

 -Aaron


 On Thu, Apr 24, 2014 at 2:33 PM, Aaron Wood wood...@gmail.com wrote:

 Well, I'm seeing the same results as you are from here in Paris (using
 Free.fr).

 -Aaron


 On Thu, Apr 24, 2014 at 1:27 PM, Simon Kelley si...@thekelleys.org.uk
 wrote:

 On 24/04/14 11:49, Aaron Wood wrote:

 
  Dnsmasq does the DS query next because the answer to the A query comes
  back unsigned, so dnsmasq is looking for a DS record that proves this
  is
  OK. It's likely that Verisign does that top-down (starting from the
  root) whilst dnsmasq does it bottom up. Hence Verisign never finds the
  broken DS, whilst dnsmasq does.
 
  That's as good an analysis as I can produce right now. Anyone who can
  shed more light, please do.
 
  (And yes, please report DNSSEC problems  on the dnsmasq-discuss list
  for
  preference.)
 
 
  This is still persisting (and it appears to be blocking a bunch of
  Apple
  software update functions).  From your comments, Simon, it sounds like
  you
  think this is an Akamai issue, and should be reported to them?
 

 I'm not absolutely sure that this isn't also a dnsmasq problem, and
 DNSSEC is still capable of surprising me, but I can't see how a SERVFAIL
 answer to

 dig @8.8.8.8 DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net

 can not be either a Google ('cause it's their recursive server) or
 Akamai problem.

 Poking further, it looks like the authoritative name servers for that
 zone are

 ;  DiG 9.8.1-P1  @8.8.8.8 NS cn.akamaiedge.net
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 43031
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0

 ;; QUESTION SECTION:
 ;cn.akamaiedge.net. IN  NS

 ;; ANSWER SECTION:
 cn.akamaiedge.net.  299 IN  NS  n7cn.akamaiedge.net.
 cn.akamaiedge.net.  299 IN  NS  n6cn.akamaiedge.net.
 cn.akamaiedge.net.  299 IN  NS  n0cn.akamaiedge.net.
 cn.akamaiedge.net.  299 IN  NS  n2cn.akamaiedge.net.
 cn.akamaiedge.net.  299 IN  NS  n5cn.akamaiedge.net.
 cn.akamaiedge.net.  299 IN  NS  n4cn.akamaiedge.net.
 cn.akamaiedge.net.  299 IN  NS  n3cn.akamaiedge.net.
 cn.akamaiedge.net.  299 IN  NS  n1cn.akamaiedge.net.
 cn.akamaiedge.net.  299 IN  NS  n8cn.akamaiedge.net.

 and all of those give sensible answers for

 DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net

 except n8cn.akamaiedge.net, which isn't responding, so I rather think
 this may be a Google mess.

 Or maybe it's Great Firewall induced breakage?

 Cheers,


 Simon.








-- 
Dave Täht

NSFW: 
https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures

[Dave Taht]

I will argue that a  better place to report  dnssec  validation
errors is the dnsmasq  list.

On Wed, Apr 23, 2014 at 8:31 AM, Aaron Wood wood...@gmail.com wrote:
 Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: query[A]
 e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net from 172.30.42.99
 Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
 e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
 Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: dnssec-query[DS]
 e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
 Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
 e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.4.4
 Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
 e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
 Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply
 e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is BOGUS DS
 Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: validation result is
 BOGUS
 Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply
 e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is 2.20.28.186

 This one validates via verisign, however.

 -Aaron

 ___
 Cerowrt-devel mailing list
 cerowrt-de...@lists.bufferbloat.net
 https://lists.bufferbloat.net/listinfo/cerowrt-devel




-- 
Dave Täht

NSFW: 
https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] dnssec and local caching dns in fedora and network manager

[Dave Taht]

interesting long thread over at the fedora project this weekend:

https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html



-- Forwarded message --
From: Chuck Anderson c...@wpi.edu
Date: Sun, Apr 13, 2014 at 10:59 AM
Subject: Re: [Cerowrt-devel] Full blown DNSSEC by default?
To: cerowrt-de...@lists.bufferbloat.net


On Sun, Apr 13, 2014 at 12:05:19PM +0200, Toke Høiland-Jørgensen wrote:

  Is there a D?

 Running a full resolver in cerowrt? I've been running a dnssec-enabled bind 
 for some time on my boxes (prior to dnssec support in dnsmasq).

How do these proposals compare with unbound+dnssec-trigger in the
Fedora world?  I stirred up a rats nest:

https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html

I realize these are slightly different use cases, but it may be
helpful to learn from the different implementations, if for no other
reason than to be sure they interoperate.  I'm going to turn on
unbound+dnssec-trigger on my laptop and try it behind Cerowrt w/DNSSEC
turned on to see what happens...
___
Cerowrt-devel mailing list
cerowrt-de...@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/cerowrt-devel


-- 
Dave Täht

NSFW: 
https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?

[Dave Taht]

On Wed, Apr 9, 2014 at 6:24 AM, /dev/rob0 r...@gmx.co.uk wrote:
 On Tue, Apr 01, 2014 at 11:54:28AM -0500, I wrote:
 ^^
 On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote:
  On 25/03/14 07:03 PM, sven falempin wrote:
   my concern of nettle vs openssl is the amount of review and
   testing nettle did get compared to something more widely(!)
   used openssl
 
  something being used a lot != something being good

 Absolutely true, but in the context of open source software,
 especially cryptographic software, more use also tends to mean
 more code review.

 April Fools!

 ;)

My heart bleeds for the openssl folk and openssl derived application users
right now. More investment into creating, maintaining and improving
core crypto libraries is desperately needed to hold our civilization together.

 I'm not really qualified to judge here what is best; I can only
 point out what I, as a user, think about it. I'll trust Simon's
 judgment, but I hope he has considered these concerns.
 --
   http://rob0.nodns4.us/
   Offlist GMX mail is seen only if /dev/rob0 is in the Subject:

 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
Dave Täht

NSFW: 
https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] DHCPv6 hostname resolving

[Dave Taht]

On Wed, Apr 2, 2014 at 8:59 AM, Albert ARIBAUD albert.arib...@free.fr wrote:
 Le 02/04/2014 17:26, Quintus a écrit :

 Hi there,


 Hi Quintus,


 with DHPv4, dnsmasq properly converts the hostnames send to it to A
 records we can query for. It seems however that this is not the case
 with DHCPv6 and  records; while I can perfectly query for the A
 record of atlantis.cable.internal.xxx.eu (and even the one of
 atlantis without any further qualification is found), querying for its
  record just returns NXDOMAIN, i.e. it's not found.

 Is this a bug, or do I have to enable that feature somehow so it works
 the same for DHCPv6 as it does for DHCPv4?


 As per the manpage for dnsmasq, you should set 'ra-names' in the IPv6
 dhcp-range? e.g., instead of



 dhcp-range=set:wired6,2001:4dd0:ff00:8918:1::2,2001:4dd0:ff00:8918:1:::fffe,80,6h

 dhcp-range=set:wifi6,2001:4dd0:ff00:8918:2::2,2001:4dd0:ff00:8918:2:::fffe,80,6h


 Use

 dhcp-range=set:wired6,2001:4dd0:ff00:8918:1::2,2001:4dd0:ff00:8918:1:::fffe,80,6h,ra-names
 dhcp-range=set:wifi6,2001:4dd0:ff00:8918:2::2,2001:4dd0:ff00:8918:2:::fffe,80,6h,ra-names

 From the manpage:

 ra-names  enables  a  mode  which  gives DNS names to dual-stack
 hosts which do SLAAC for IPv6.  Dnsmasq  uses  the  host's  IPv4
 lease  to  derive  the name, network segment and MAC address and
 assumes that the host will also have an IPv6 address  calculated
 using  the  SLAAC  algorithm,  on  the same network segment. The
 address is pinged, and if a reply is received, an  record is
 added  to  the DNS for this IPv6 address. Note that this is only
 happens for directly-connected networks, (not one doing DHCP via
 a  relay) and it will not work if a host is using privacy exten-
 sions.  ra-names can be combined  with ra-stateless and slaac.

There is even an internet draft on this... not that it's found a home
within any working groups:

http://tools.ietf.org/html/draft-taht-kelley-hunt-dhcpv4-to-slaac-naming-00

 Amicalement,
 --
 Albert.

 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?

[Dave Taht]

On Tue, Apr 1, 2014 at 9:54 AM, /dev/rob0 r...@gmx.co.uk wrote:
 On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote:
 On 25/03/14 07:03 PM, sven falempin wrote:
  my concern of nettle vs openssl is the amount of review and
  testing nettle did get compared to something more widely(!)
  used

 something being used a lot != something being good

 Absolutely true, but in the context of open source software,
 especially cryptographic software, more use also tends to mean
 more code review.

 I'm not really qualified to judge here what is best; I can only
 point out what I, as a user, think about it. I'll trust Simon's
 judgment, but I hope he has considered these concerns.

I have not been tracking this conversation closely, but my own
take on matters is that I'm opposed to a monoculture of anything...

http://www.abc.net.au/news/2013-08-29/feature-banana/4922208

And thus I enthusiastically support other OSes than linux, other
dns servers besides bind, and other crypto libraries besides openssl.

 --
   http://rob0.nodns4.us/
   Offlist GMX mail is seen only if /dev/rob0 is in the Subject:

 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Stats improvement

[Dave Taht]

On Fri, Mar 28, 2014 at 9:35 AM, Dave Taht dave.t...@gmail.com wrote:
 On Thu, Mar 27, 2014 at 1:57 PM, Simon Kelley si...@thekelleys.org.uk wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 26/03/14 05:12, Olivier Mauras wrote:
 Yes it should definitely be TXT records. Sounds really good to me.

 for upstream servers, why not having upstream.bind return total
 queries forwarded + list of upstream servers that can then be check
 individually with: dig TXT server1.upstream.bind

 OK. Code in git now.

 Try eg

 dig +short chaos txt misses.bind

 and

 dig +short chaos txt servers.bind

 I haven't looked at the code yet, but my take on this was originally that
 I'd wanted a single dns reply for all the statistics (can live
 without), 64 bit counters, and not only tracking misses but the
 latency cost of a miss. Then there are misses that are never

latency cost of a fill, I meant. This would end up giving stats that
are comparable to namebench.


 resolved... and (even harder), things like a 5 minute rolling
 average... and a breakdown by query type (, A, DS, etc)

 gettimeofday() is very efficient on modern linuxes (it gets the time from a
 shared page cache without even making a syscall), but I can see that
 you might want to be able to compile that out.

 And I wasn't expecting you to get to it in this release! Just basic stats is
 great




 Cheers,

 Simon.



 Olivier

 On Tue, 2014-03-25 at 21:37 +, Simon Kelley wrote:
 My feeling it that this should use TXT records, then they can be
 extracted into any application using eg

 dig +short chaos txt stats.bind

 or the equivalent, which outputs the string to stdout.

 The current code has,


 cache-size, insertions which evicted unexpired cache entries,
 queries forwarded, queries answered locally, queries for auth
 zones.


 then for each upstream server,

 queries sent, and queries retried or failed.

 We could have

 size.bind and evictions.bind for cache size and evictions
 local.bind, upstream.bind and auth.bind for queries.

 But how to handle the variable number of upstream servers. Just
 free text?



 Simon.

 Enigmail On 24/03/14 22:53, Olivier Mauras wrote:


 On Mon, 2014-03-24 at 21:55 +, Simon Kelley wrote:
 On 24/03/14 11:25, Olivier Mauras wrote:


 Hello,

 I was wondering what would be the effort, and if there'd
 actually be any interest for some dnsmasq statistics
 improvements. (Yes i'm splitting dicussions ^^) For
 monitoring/graph purposes, actual dnsmasq stats are a bit
 difficult to use and completely unusable if using
 log_queries as it takes too long to retrieve them inside
 logs.

 I'd love to see a stats interface that would output
 total_queries, cache_hits, cache_misses, memory used by
 cache, etc

 Thanks, Olivier


 There's an idea to make this available as a DNS query, in
 the same way that


 dig chaos txt version.bind

 returns the version number.

 Comments?

 Cheers,

 Simon.



 That would be a really good way of doing it!




 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.11 (GNU/Linux)
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iEYEARECAAYFAlM0kMsACgkQKPyGmiibgrcBGQCgh70G5hX6LqTdO+2z0ZEg0PYe
 25EAnRvZ79kpqBVa4g9dGz7XXlKCOTR5
 =85b/
 -END PGP SIGNATURE-



 --
 Dave Täht

 Fixing bufferbloat with cerowrt: 
 http://www.teklibre.com/cerowrt/subscribe.html



-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [PATCH] dnsmasq-2.68 vs. dnsmasq-2.69rc1 Coverity scan diff

[Dave Taht]

did you also compile with dhcpv6 support enabled?

On Tue, Mar 25, 2014 at 7:33 AM, Tomas Hozza tho...@redhat.com wrote:


 - Original Message -
 On 24/03/14 13:51, Tomas Hozza wrote:
  Hi.
 
  I did a version diff scan between 2.68 and 2.69rc1 version.
 From my point of view there is one thing worth of fixing,
  I'm attaching the patch.
 
  I'm also attaching the coverity scan log.
 
  Regards,
 
  Tomas Hozza
 
 

 Thanks, I agree there's a problem if recvfrom() fails and returns -1.
 The solution is to get the sanity checks right, since is already checks
 that n  sizeof(struct dns_header), just too late. I've committed a fix:


 http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=490f90758dba741b10a2af6b70eb561777575e04

 Looks reasonable, too.

 Cheers,

 Simon.

 Hi Simon.

 Unfortunately I noticed, that I didn't enabled the new DNSSEC functionality
 during the Coverity scan :) I did the scan again and found more issues worth
 of fixing.

 Please see the attached log and patches.

 Regards,

 Tomas
 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss




-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Stats improvement

[Dave Taht]

I would certainly like to have a standard way of getting these
statistics, through the dns, perhaps one unified with whatever bind
and unbound use (or don't use.)

Not a lot of people seem to be aware of why dns caching forwarders are
so great, although benchmarks like namebench against your chrome or
firefox cache are quite revealing, parsing huge network captures as
I am presently to try to get a grip on timings for dns/response
pairing is a pita and not router centric.

However:

Do check out namebench, it's pretty cool. It does bug me that in tests
against the alexa top 2000 that it invariably selects some other dns
server besides your local one as being the best, because it has
the best average - as if you regularly go to websites in timbuktu and
care about the response time more than, say, google.

Example against alexa top 2000 with a fresh cache:

http://snapon.lab.bufferbloat.net/~d/namebench/namebench_2014-03-20_1255.html

It is much better to test against your more common query set, which I
don't have a snapshot of on that site presently - usually 40% or more
of queries are resolved in a ms, 30% or so via your ISP in under 20ms.

I'd love to see people posting namebench results from against their
firefox/chrome caches... it's in apt on ubuntu at least

the version I have is buggy, you have to hit control-C at least once
for the gui to come up.


On Mon, Mar 24, 2014 at 2:55 PM, Simon Kelley si...@thekelleys.org.uk wrote:
 On 24/03/14 11:25, Olivier Mauras wrote:


 Hello,

 I was wondering what would be the effort, and if there'd
 actually be any interest for some dnsmasq statistics improvements. (Yes
 i'm splitting dicussions ^^)
 For monitoring/graph purposes, actual
 dnsmasq stats are a bit difficult to use and completely unusable if
 using log_queries as it takes too long to retrieve them inside
 logs.

 I'd love to see a stats interface that would output
 total_queries, cache_hits, cache_misses, memory used by cache,
 etc

 Thanks,
 Olivier


 There's an idea to make this available as a DNS query, in the same way that


 dig chaos txt version.bind

 returns the version number.

 Comments?

 Cheers,

 Simon.



 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Setting dns domain name through dhcpv6

[Dave Taht]

I'd like to note that we are trying to get away from resolve.conf.auto in a
couple cases, notably when you have multiple upstreams and you want reverse
queries to go to the right place.

A search list doesn't cut it in that case.

BUT supplying a search list makes sense to clients.
On Mar 8, 2014 1:29 AM, Roy Marples r...@marples.name wrote:

 On 08/03/2014 8:36, Simon Kelley wrote:

 On 07/03/14 21:42, Tom Hendrikx wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Hi,

 I'm using dnsmasq 2.66 to provide my local network with ipv4 dhcp, and
 ipv6 information requests (ip addressing is handled by my router).

 I'm able to to provide clients with a dns-server and such through
 dhcpv6, but I'm failing to find the dhcp option that sets 'domain
 lan.example.org' in /etc/resolv.conf, i.e. the v6 equivalent of
 dhcp-option=option:domain-name,lan.example.org

 Can anyone enlighten me? I've searching through
 https://www.iana.org/assignments/dhcpv6-parameters/
 dhcpv6-parameters.xhtml
 but I'm failing to find something useful...


 What you want is option 39, OPTION_CLIENT_FQDN


 domain in resolv.conf(5) isn't normally used. I wouldn't expect any DHCP
 clients to put it there based on the FQDN.
 dhcpcd(8) does :)

 What you probably want is option 24, OPTION_DOMAIN_LIST which I would
 expect every DHCP client to fill out the search entry instead of the domain
 entry.
 If you read resolv.conf(5) you'll find that both pretty much do the same
 thing, but search allows 1 entry.

 Roy

 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq, NetworkManager and VPNs

[Dave Taht]

Simon just added support for dynamically adding/removing an upstream
dns server and reverse resolver in the upcoming
release which I think will handle your use case.

On Thu, Mar 6, 2014 at 1:39 AM, Tony Breeds t...@bakeyournoodle.com wrote:
 Hi All,
 I'm a new user of dnsmasq and I can't see an easy way to do what
 I want to do.

 My situation is (probably not that uncommon) I need to connect to a work
 VPN and while I'm connected to said VPN I need to query work's DNS
 servers for company.com addresses but all other queries should go
 through my normal (as supplied by DHCP) DNS servers.

 I tried adding a config file like:
 server=/company.com/DNS_SERVER_1@interface
 server=/company.com/DNS_SERVER_2@interface
 server=/I.P.ADDR.in-addr.arpa/DNS_SERVER_1@interface
 server=/I.P.ADDR.in-addr.arpa/DNS_SERVER_2@interface

 Now my problem is that if that file exists when dnsmasq starts and my
 VPN interface isn't up, dnsmasq prints an error and exits.  This is
 especially painful as I'm starting dnsmasq from NetworkManager (by
 setting dns=dnsmasq in the NetworkManager config file)

 I can run a script that adds and removes the config file on VPN up/down
 events but I can't find a way to re-read all the config files for a
 running dnsmasq process.

 My next thought was to use the dbus interface to inject the above
 configuration to the running dnsmasq server, but I don't see a syntax
 that will remove the configuration when I take down my VPN.

 So any advice? this must be possible, perhaps I just need to be more
 creative.

 Tony.


 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss




-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Speed comparison dnsmasq - unbound?

[Dave Taht]

On Sun, Feb 16, 2014 at 9:06 AM, /dev/rob0 r...@gmx.co.uk wrote:
 On Sun, Feb 16, 2014 at 07:38:37AM +0100, Oliver Rath wrote:
 did somebody some speed comparison tests for the dns caching
 functionality between dnsmasq and unbound (http://unbound.net/)?

 Compare apples to apples. You're not doing that.

 Dnsmasq is a DNS forwarder. Unbound is a DNS resolver. Unbound
 actually does the work of accepting recursive queries and then
 performing the iterative queries to find the answer.

To be mildly more clear, DNSmasq is a caching forwarder,
(although I just discovered caching is turned off in ubuntu's implementation)

While not a recursing resolver, it can be configured as a primary dns server
for a small set of (sub)domains easily.

The fact that it caches, however, is very important.

 Dnsmasq simply hands off these queries to a backend resolver, such as
 BIND named or unbound. Accordingly, I'd expect dnsmasq to be faster,
 but noting that the comparison is meaningless.

 Ive read that unbound is the fastest dns caching server including
 dnssec support, but I could imagine, that dnsmasq has the same
 speed (or better).

 I've read a lot of things on the Internet. Some of them might have
 been true. Unqualified claims of speed are usually bogus. Such
 claims are especially difficult to establish in the realm of DNS,
 because your apparent speed is largely dependent upon random third
 parties' servers and the speed of their Internet connections.

 Do you have a link to these speed studies? I'd like to see them.

 Unbound is the new standard dns caching server in FreeBSD 10 and
 replaces bind.

 IIUC that's only partly true. BIND is a complete DNS implementation,
 whereas unbound is only a caching resolver. Those who are serving
 authoritative DNS to the world also need an authoritative DNS server
 such as BIND named or NLNetLabs' NSD.

 Note, best practice usually demands separation of authoritative DNS
 service from recursive service. Unbound/NSD were began with this
 understanding, whereas BIND has roots going back to the very
 beginnings of DNS.

 (The fact that named can do it all in one notwithstanding, this is
 not what ISC recommends. But it is a convenience for some small,
 internal-only sites, where that might override security concerns.)

 Just for interest.
 --
   http://rob0.nodns4.us/
   Offlist GMX mail is seen only if /dev/rob0 is in the Subject:

 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] Fwd: [Cerowrt-devel] Fwd: Testers wanted: DNSSEC.

[Dave Taht]

-- Forwarded message --
From: Toke Høiland-Jørgensen t...@toke.dk
Date: Wed, Feb 5, 2014 at 12:10 PM
Subject: Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.
To: Dave Taht dave.t...@gmail.com
Cc: cerowrt-de...@lists.bufferbloat.net cerowrt-de...@lists.bufferbloat.net


Toke Høiland-Jørgensen t...@toke.dk writes:

 Can add it to my bufferbloat OBS :)

Right, so packages available for Arch, Debian 7 and Ubuntu 12.04, 12.10
and 13.10 are available from here:
https://build.opensuse.org/project/repositories/home:tohojo:dnsmasq

For some reason, signature verification is failing for me on the Arch
repo.


Also, installed it on my workstation, and it seems to do *something* at
least. Running with --log-queries I get output like this:

dnsmasq[19525]: dnssec-query[DNSKEY] tohojo.dk to 127.0.0.1
dnsmasq[19525]: dnssec-query[DNSKEY] tohojo.dk to 127.0.0.1
dnsmasq[19525]: dnssec-query[DS] tohojo.dk to 127.0.0.1
dnsmasq[19525]: dnssec-query[DS] tohojo.dk to 127.0.0.1
dnsmasq[19525]: reply tohojo.dk is DS keytag 49471
dnsmasq[19525]: reply tohojo.dk is DNSKEY keytag 30141
dnsmasq[19525]: reply tohojo.dk is DNSKEY keytag 49471
dnsmasq[19525]: validation result is SECURE

(I'm still running BIND on localhost on a different port which is why
it's forwarded to there...)

And sometimes there's also lines saying

dnsmasq[19525]: validation result is INSECURE

but mostly from in-addr.arpa and other places that I wouldn't expect to
be verified.

Finally there's a bunch of queries that don't say anything about dnssec
anywhere.

Oh, and --dnssec-debug doesn't seem to do anything.

-Toke


-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html


signature.asc
Description: PGP signature
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] coping with ipv6 source routing and dns

[Dave Taht]

On Thu, Jan 30, 2014 at 1:57 AM, Simon Kelley si...@thekelleys.org.uk wrote:
 On 29/01/14 19:22, Dave Taht wrote:

 I have been (mostly) happily fiddling with my new comcast ipv6 connection,
 trying to route all dns queries over ipv6 in particular, by disabling
 requesting the ipv4 dns addrs and relying on the dhcpv6 request to
 succeed.

 config interface eth0
  option 'ifname' 'eth0'
  option 'proto'  'dhcp'
  option 'peerdns' '0'

 config interface wan6
  option ifname   @eth0
  option protodhcpv6
  option 'broadcast' '1'
  option 'metric' '2048'

 works. yea! no more nat holes for ipv4 dns.

 Problem is, I also have a hurricane electric tunnel. When I try to use
 both, addresses from one get used on the other and dns forward
 lookups fail.

 I think the right answer is to abandon resolv.conf.auto
 and instead explicitly assign ipv6 source addrs in dnsmasq...

 server=2001:558:feed::1@:comcast:assigned:ipv6:address
 server=2001:558:feed::2@:comcast.assigned:ipv6:address
 server=2001:470:20::2@my:hurricane:assigned:ipv6:address

To try to explain the reasoning for this better, the first two servers
refuse requests from an address range assigned the third. This is
probably because the first two are not open resolvers.


 yes? (I'll be trying this in a bit)

 One thing of possible useful note is that (yea!) we can just
 select some arbitrary new ipv6 address within the assigned range,
 add it to the local dnsmasq server box, and source dns lookups from
 that, using up just that port space.

 then my own /etc/resolv.conf just points to localhost
 for hm.armory.com,

 so I fix that with

 server=/hm.armory.com/172.26.3.1/
 server=/wifi.armory.com/172.26.2.1/

 But this doesn't help in terms of reverse lookups (I think),
 where I might or might not have my own delegated subdomain.

 from

 someoption=
 comcast.assigned.ipv6.address.range/60 lookup via 2001:558:feed::1 or ::2
 someoption=
 he.assigned.ipv6.address.range/48 lookup via 2001:470:20::2


 I'm not sure I follow all of this, but for reverse DNS  something like
 server=/hex, lots of hex.ip6.arpa/2001:558:feed::1

 Will work.

Syntactically having to have a tool to reverse the domain is a pita,
what I'd like is

reverse=#260x:x:y:z::/60#2001:558:feed::1#



 ?

 and then there's splitting dns... where I might want nuc.hm.armory.com
 s available to the outside universe. somehow.


 Have you looked at the dnsmasq auth stuff for this?

head, hurting.



 Simon.


 ?


 My brain hurts.






 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] coping with ipv6 source routing and dns

[Dave Taht]

I have been (mostly) happily fiddling with my new comcast ipv6 connection,
trying to route all dns queries over ipv6 in particular, by disabling
requesting the ipv4 dns addrs and relying on the dhcpv6 request to
succeed.

config interface eth0
option 'ifname' 'eth0'
option 'proto'  'dhcp'
option 'peerdns' '0'

config interface wan6
option ifname   @eth0
option protodhcpv6
option 'broadcast' '1'
option 'metric' '2048'

works. yea! no more nat holes for ipv4 dns.

Problem is, I also have a hurricane electric tunnel. When I try to use
both, addresses from one get used on the other and dns forward
lookups fail.

I think the right answer is to abandon resolv.conf.auto
and instead explicitly assign ipv6 source addrs in dnsmasq...

server=2001:558:feed::1@:comcast:assigned:ipv6:address
server=2001:558:feed::2@:comcast.assigned:ipv6:address
server=2001:470:20::2@my:hurricane:assigned:ipv6:address

yes? (I'll be trying this in a bit)

One thing of possible useful note is that (yea!) we can just
select some arbitrary new ipv6 address within the assigned range,
add it to the local dnsmasq server box, and source dns lookups from
that, using up just that port space.

then my own /etc/resolv.conf just points to localhost
for hm.armory.com,

so I fix that with

server=/hm.armory.com/172.26.3.1/
server=/wifi.armory.com/172.26.2.1/

But this doesn't help in terms of reverse lookups (I think),
where I might or might not have my own delegated subdomain.

from

someoption=
comcast.assigned.ipv6.address.range/60 lookup via 2001:558:feed::1 or ::2
someoption=
he.assigned.ipv6.address.range/48 lookup via 2001:470:20::2

?

and then there's splitting dns... where I might want nuc.hm.armory.com
s available to the outside universe. somehow.

?


My brain hurts.




-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] DNSSEC enabled dnsmasq dies very quickly

[Dave Taht]

Dnsmasq is barely in git with dnssec support,
So it would help to clearly identify what commit number you are working
from. ?

And: Pull early, pull often.
 On Jan 26, 2014 5:47 PM, e9hack e9h...@gmail.com wrote:

 Hi,

 for testing purpose, I compile dnsmasq with option -DHAVE_DNSSEC. After a
 few name
 queries, dnsmasq dies. In the example, I start firefox on Windows 7. After
 a few queries,
 dnsmasq isn't longer running:

 Sun Jan 26 12:04:57 2014 daemon.info dnsmasq[1880]: query[A]
 secure.informaction.com from
 192.168.100.2
 Sun Jan 26 12:04:57 2014 daemon.info dnsmasq[1880]: forwarded
 secure.informaction.com to
 192.168.26.1
 Sun Jan 26 12:04:57 2014 daemon.info dnsmasq[1880]: forwarded
 secure.informaction.com to
 8.8.8.8
 Sun Jan 26 12:04:57 2014 daemon.info dnsmasq[1880]: forwarded
 secure.informaction.com to
 2001:4860:4860::
 Sun Jan 26 12:04:57 2014 daemon.info dnsmasq[1880]: forwarded
 secure.informaction.com to
 fe80::1
 Sun Jan 26 12:04:57 2014 daemon.info dnsmasq[1880]: reply
 secure.informaction.com is
 69.195.141.179
 Sun Jan 26 12:04:57 2014 daemon.info dnsmasq[1880]: query[]
 secure.informaction.com
 from 192.168.100.2
 Sun Jan 26 12:04:57 2014 daemon.info dnsmasq[1880]: forwarded
 secure.informaction.com to
 192.168.26.1
 Sun Jan 26 12:04:57 2014 daemon.info dnsmasq[1880]: reply
 secure.informaction.com is
 NODATA-IPv6
 Sun Jan 26 12:04:57 2014 daemon.info dnsmasq[1880]: query[A]
 ocsp.godaddy.com from
 192.168.100.2
 Sun Jan 26 12:04:57 2014 daemon.info dnsmasq[1880]: forwarded
 ocsp.godaddy.com to 192.168.26.1
 Sun Jan 26 12:04:57 2014 daemon.info dnsmasq[1880]: reply ocsp.godaddy.comis 
 CNAME
 Sun Jan 26 12:04:57 2014 daemon.info dnsmasq[1880]: reply
 ocsp.godaddy.com.akadns.net is
 188.121.36.239
 Sun Jan 26 12:04:57 2014 daemon.info dnsmasq[1880]: query[]
 ocsp.godaddy.com from
 192.168.100.2
 Sun Jan 26 12:04:57 2014 daemon.info dnsmasq[1880]: cached
 ocsp.godaddy.com is CNAME
 Sun Jan 26 12:04:57 2014 daemon.info dnsmasq[1880]: forwarded
 ocsp.godaddy.com to 192.168.26.1
 Sun Jan 26 12:04:57 2014 daemon.info dnsmasq[1880]: reply ocsp.godaddy.comis 
 CNAME
 Sun Jan 26 12:04:57 2014 daemon.info dnsmasq[1880]: reply
 ocsp.godaddy.com.akadns.net is
 NODATA-IPv6

 My test setup is a carambola box with the current trunk of OpenWRT. If I
 compile it
 without -DHAVE_DNSSEC, it runs perfectly.

 Regards,
 Hartmut

 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dhcp-pd, and autoassigned internal interfaces issues

[Dave Taht]

Both dnsmasq in git head and odhcpd in openwrt do as close to the
right thing as possible now.

I released a version of cerowrt that worked right in this scenario
yesterday, specifically for comcast
subscribers, with the patch for dnsmasq (if you want to use that) but
with odhcpd support by default.

The latter is upstream in openwrt, and dnsmasq 2.68 (with the less
than desirable filter) is not there either,
yet, so that's all good.



On Wed, Jan 22, 2014 at 9:56 AM, John Gorkos jgor...@gmail.com wrote:
 So, in this scenario, what's the appropriate configuration to allow machines
 in the network served by the delegated prefix to get SLAAC addresses and
 provide them with Route Advertisements?
 This goes back to the question that I asked in November that got no
 traction:
 http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q4/007810.html
 , as I'm using a Comcast DHCPv6 assigned address with prefix delegation as
 well.

 John Gorkos



 On 1/22/14, 6:37 AM, Simon Kelley wrote:

 Patch applied.



 Cheers,

 Simon.

 On 21/01/14 16:19, Dave Taht wrote:

 I have finally got my first-ever comcast ipv6 set of users up, and we
 have a problem
 with the interrelationship between addresses assigned dynamically by
 dhcpv6-pd and other means in dnsmasq 2.68.

 What happens now is that dhcpv6-pd works but dnsmasq 2.68 filters out the
 interface

 13: sw00:BROADCAST,MULTICAST,UP,LOWER_UP  mtu 1500 qlen 1000
  inet6 2601:X:Y:9a1::1/64 scope global dynamic
 valid_lft 182420sec preferred_lft 182420sec

 so sends no ras.

 adding a second stable interface dnsmasq picks up.


  inet6 2601:3:8180:9a1::2/64 scope global
 valid_lft forever preferred_lft forever


 this check was not in dnsmasq 2.66, and was put in later for fairly
 sound reasons
 (like you don't want to start serving RAs on a SLAAC assigned
 address), but in the
 dhcp-pd case or otherwise assigned by the router (6in4) case, we do.

 Anyway the below patch fixes it but I'd like there to be some clear
 indicator
 of where things came from somehow.

 From 4f55df81d69d20230e18c90d772904372b2b90a4 Mon Sep 17 00:00:00 2001
 From: Jonas Gorskixx...@openwrt.org
 Date: Wed, 8 Jan 2014 11:55:08 +0100
 Subject: [PATCH] allow dhcp range construction with non-permanent
 addresses


 The linux kernel treats all addresses with a limited lifetime as being
 non permanent, but when taking over the prefix livetimes from upstream
 assigned prefixes through DHCP, addresses will always have a limited
 lifetime.

 Still reject temporary addresses, as they indicate autoconfigured
 interfaces.

 Contributed by T-Labs, Deutsche Telekom Innovation Laboratories

 Signed-off-by: Jonas Gorskij...@openwrt.org
 ---
   src/netlink.c | 2 +-
   1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/src/netlink.c b/src/netlink.c
 index 3be94ee..d5de4ab 100644
 --- a/src/netlink.c
 +++ b/src/netlink.c
 @@ -265,7 +265,7 @@ int iface_enumerate(int family, void *parm, int
 (*callback)())
   if (ifa-ifa_flags  IFA_F_DEPRECATED)
 flags |= IFACE_DEPRECATED;

 -if (ifa-ifa_flags  IFA_F_PERMANENT)
 +if (!(ifa-ifa_flags  IFA_F_TEMPORARY))
 flags |= IFACE_PERMANENT;

   if (addrp  callback_ok)




 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dhcp-pd, and autoassigned internal interfaces issues

[Dave Taht]

On Tue, Jan 21, 2014 at 5:13 PM, Simon Kelley si...@thekelleys.org.uk wrote:
 On 21/01/14 16:19, Dave Taht wrote:

 I have finally got my first-ever comcast ipv6 set of users up, and we
 have a problem
 with the interrelationship between addresses assigned dynamically by
 dhcpv6-pd and other means in dnsmasq 2.68.

 What happens now is that dhcpv6-pd works but dnsmasq 2.68 filters out the
 interface

 13: sw00: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qlen 1000
  inet6 2601:X:Y:9a1::1/64 scope global dynamic
 valid_lft 182420sec preferred_lft 182420sec

 so sends no ras.

 adding a second stable interface dnsmasq picks up.


  inet6 2601:3:8180:9a1::2/64 scope global
 valid_lft forever preferred_lft forever


 this check was not in dnsmasq 2.66, and was put in later for fairly
 sound reasons
 (like you don't want to start serving RAs on a SLAAC assigned
 address), but in the
 dhcp-pd case or otherwise assigned by the router (6in4) case, we do.

 Anyway the below patch fixes it but I'd like there to be some clear
 indicator
 of where things came from somehow.


 Comparing the code in bpf.c (for *BSD) and netlink.c (for Linux) I think
 it's clear what's meant: exclusion of privacy addresses and addresses
 installed as a result of RAs received.  The patch covers the first of those,
 but there doesn't seem to be a Linux equivalent of the BSD IN6_IFF_AUTOCONF
 flag to detect RA-originated addresses. I looked at the kernel source, and
 there's no candidate I can see.

 I suspect that this patch is the best that can be done.

Well, no, we can always go off and get this BSD IPv6 RA flag into the Linux
kernel too. :)

Looks needed and useful. And trivial.



 Cheers,

 Simon.



 From 4f55df81d69d20230e18c90d772904372b2b90a4 Mon Sep 17 00:00:00 2001
 From: Jonas Gorski xx...@openwrt.org
 Date: Wed, 8 Jan 2014 11:55:08 +0100
 Subject: [PATCH] allow dhcp range construction with non-permanent
 addresses


 The linux kernel treats all addresses with a limited lifetime as being
 non permanent, but when taking over the prefix livetimes from upstream
 assigned prefixes through DHCP, addresses will always have a limited
 lifetime.

 Still reject temporary addresses, as they indicate autoconfigured
 interfaces.

 Contributed by T-Labs, Deutsche Telekom Innovation Laboratories

 Signed-off-by: Jonas Gorski j...@openwrt.org
 ---
   src/netlink.c | 2 +-
   1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/src/netlink.c b/src/netlink.c
 index 3be94ee..d5de4ab 100644
 --- a/src/netlink.c
 +++ b/src/netlink.c
 @@ -265,7 +265,7 @@ int iface_enumerate(int family, void *parm, int
 (*callback)())
   if (ifa-ifa_flags  IFA_F_DEPRECATED)
 flags |= IFACE_DEPRECATED;

 -if (ifa-ifa_flags  IFA_F_PERMANENT)
 +if (!(ifa-ifa_flags  IFA_F_TEMPORARY))
 flags |= IFACE_PERMANENT;

   if (addrp  callback_ok)






-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Can't ping when using FQDN

[Dave Taht]

Using .local is generally reserved for multicast DNS.

Don't do that.

On Nov 8, 2013 1:37 AM, Guillaume Betous guillaume.bet...@gmail.com
wrote:

 you must be right :

 domain domain.local
 nameserver my.isp.ip.address1
 nameserver my.isp.ip.address2

 2013/11/8 Albert ARIBAUD albert.arib...@free.fr:
  Le 08/11/2013 07:44, Guillaume Betous a écrit :
 
  Hi !
 
  I'm trying to setup my local network with a local domain (say
  domain.local).
 
  In dnsmasq.conf :
  - local=/domain.local/
  - domain=domain.local
  - expand_hosts
 
  Only the server has a fixed IP address (192.168.0.11), all other use
DNS :
  DNS is based on machine hostname = this works great, all machine have
  it's right IP address
  e.g. :
  - dhcp-host=foo,192.168.0.2,infinite
  - dhcp-host=bar,192.168.0.30,infinite
 
  On the different machine, the /etc/resolv.conf seems to be correctly
  updated :
  domain domain.local
  search domain.local
  nameserver 192.168.0.11
 
 
  When I ping a computer, I have very different results following the
test
  case :
 
  From other computer, with single name = OK
 
  
 
  guillaume@foo:~$ ping bar
  PING bar.domain.local (192.168.0.30) 56(84) bytes of data.
  64 bytes from bar.domain.local (192.168.0.30): icmp_seq=1 ttl=64
time=110
  ms
  64 bytes from bar.domain.local (192.168.0.30): icmp_seq=2 ttl=64
time=153
  ms
  64 bytes from bar.domain.local (192.168.0.30): icmp_seq=3 ttl=64
time=78.1
  ms
 
  From server, with single name = Not OK
 
  
 
  guillaume@server:~$ ping bar
  ping: unknown host bar
 
  From other computer or server, with full name = Not OK
 
  =
 
  guillaume@foo:~$ ping bar.domain.local
  ping: unknown host bar.domain.local
 
 
  Do you have an idea on what is wrong with my configuration ?
 
 
  Most probably the server is not configured to use itself as a DNS, and
  therefore relies on its /etc/hosts on for resolution; and as the names
of
  the machine which dnsmasq serves are not in the server's /etc/hosts,
they
  don't get resolved locally.
 
  What does /etc/resolv.conf contain on the server?
 
  Thanks,
 
  gUI
 
 
  Amicalement,
  --
  Albert.
 
  ___
  Dnsmasq-discuss mailing list
  Dnsmasq-discuss@lists.thekelleys.org.uk
  http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



 --
 Pour la santé de votre ordinateur, préférez les logiciels libres.
 Lire son mail : http://www.mozilla-europe.org/fr/products/thunderbird/
 Browser le web : http://www.mozilla-europe.org/fr/products/firefox/
 Suite bureautique : http://www.libreoffice.org/download/

 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Can't ping when using FQDN

[Dave Taht]

On Nov 8, 2013 2:08 AM, Guillaume Betous guillaume.bet...@gmail.com
wrote:

 what kind of local domain name can I use ? I thought the .local was
 reserved for local networks...
See

http://en.wikipedia.org/wiki/.local


 gUI

 2013/11/8 Dave Taht dave.t...@gmail.com:
 
  Using .local is generally reserved for multicast DNS.
 
  Don't do that.
 
  On Nov 8, 2013 1:37 AM, Guillaume Betous guillaume.bet...@gmail.com
  wrote:
 
  you must be right :
 
  domain domain.local
  nameserver my.isp.ip.address1
  nameserver my.isp.ip.address2
 
  2013/11/8 Albert ARIBAUD albert.arib...@free.fr:
   Le 08/11/2013 07:44, Guillaume Betous a écrit :
  
   Hi !
  
   I'm trying to setup my local network with a local domain (say
   domain.local).
  
   In dnsmasq.conf :
   - local=/domain.local/
   - domain=domain.local
   - expand_hosts
  
   Only the server has a fixed IP address (192.168.0.11), all other use
   DNS :
   DNS is based on machine hostname = this works great, all machine
have
   it's right IP address
   e.g. :
   - dhcp-host=foo,192.168.0.2,infinite
   - dhcp-host=bar,192.168.0.30,infinite
  
   On the different machine, the /etc/resolv.conf seems to be correctly
   updated :
   domain domain.local
   search domain.local
   nameserver 192.168.0.11
  
  
   When I ping a computer, I have very different results following the
   test
   case :
  
   From other computer, with single name = OK
  
   
  
   guillaume@foo:~$ ping bar
   PING bar.domain.local (192.168.0.30) 56(84) bytes of data.
   64 bytes from bar.domain.local (192.168.0.30): icmp_seq=1 ttl=64
   time=110
   ms
   64 bytes from bar.domain.local (192.168.0.30): icmp_seq=2 ttl=64
   time=153
   ms
   64 bytes from bar.domain.local (192.168.0.30): icmp_seq=3 ttl=64
   time=78.1
   ms
  
   From server, with single name = Not OK
  
   
  
   guillaume@server:~$ ping bar
   ping: unknown host bar
  
   From other computer or server, with full name = Not OK
  
   =
  
   guillaume@foo:~$ ping bar.domain.local
   ping: unknown host bar.domain.local
  
  
   Do you have an idea on what is wrong with my configuration ?
  
  
   Most probably the server is not configured to use itself as a DNS,
and
   therefore relies on its /etc/hosts on for resolution; and as the
names
   of
   the machine which dnsmasq serves are not in the server's /etc/hosts,
   they
   don't get resolved locally.
  
   What does /etc/resolv.conf contain on the server?
  
   Thanks,
  
   gUI
  
  
   Amicalement,
   --
   Albert.
  
   ___
   Dnsmasq-discuss mailing list
   Dnsmasq-discuss@lists.thekelleys.org.uk
   http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
 
 
 
  --
  Pour la santé de votre ordinateur, préférez les logiciels libres.
  Lire son mail : http://www.mozilla-europe.org/fr/products/thunderbird/
  Browser le web : http://www.mozilla-europe.org/fr/products/firefox/
  Suite bureautique : http://www.libreoffice.org/download/
 
  ___
  Dnsmasq-discuss mailing list
  Dnsmasq-discuss@lists.thekelleys.org.uk
  http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



 --
 Pour la santé de votre ordinateur, préférez les logiciels libres.
 Lire son mail : http://www.mozilla-europe.org/fr/products/thunderbird/
 Browser le web : http://www.mozilla-europe.org/fr/products/firefox/
 Suite bureautique : http://www.libreoffice.org/download/
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] Fwd: [homenet] Fwd: WG Action: Formed Extensions for Scalable DNS Service Discovery (dnssd)

[Dave Taht]

The problems cerowrt has with multicast dns over multiple interfaces
are kind of universal.

A new ietf working group is being formed to address the problems with
service discovery beyond the local link and finally (I hope) re-unify
mdns with regular DNS. See below for the announcement. One set of
ideas also on the table is hybrid mdns:

http://tools.ietf.org/html/draft-cheshire-mdnsext-hybrid-02

I'd really welcome a means of doing service discovery over routed
links that was sane.  To me, though, the grand unification of dns,
needs a daemon written that integrates with things like dnsmasq much
better than mdnsresponder or avahi currently do.

There's a ton of things that are hard. For example dns parsing libs
are generally all pretty limited, with the most comprehensive survey
I've seen

http://boston.conman.org/2010/12/06.1

and that's just the tip of the iceberg. What else is hard?

The proxy needs to be small enough to run on routers, and powerful
enough to scale to college campuses. I think there are some commercial
possibilities, but not a lot, so it seems likely that hybrid dns needs
to be an open source project.

While I know there are quite a few people annoyed at present multicast
dns behavior over local links - I don't know who would be interested
in getting to exchange ideas from this wg and turn them into viable
code, or who could fund the work?

-- Forwarded message --
From: Tim Chown t...@ecs.soton.ac.uk
Date: Sat, Oct 26, 2013 at 12:54 AM
Subject: [homenet] Fwd: WG Action: Formed Extensions for Scalable DNS
Service Discovery (dnssd)
To: home...@ietf.org Group home...@ietf.org


Hi,

For those who may have missed the announcement, the new dnssd WG has
now been formed, see below.

During the BoF phase the group was formerly known as mdnsext.  The
name of the mail list has thus also changed from mdns...@ietf.org to
dn...@ietf.org (all subsrcibers of the former should have been moved
to the latter).

dnssd meets on Friday from 11:00am in Vancouver. The provisional agenda is here:
https://datatracker.ietf.org/meeting/88/agenda/dnssd/

Tim

Begin forwarded message:

From: The IESG iesg-secret...@ietf.org
Subject: WG Action: Formed Extensions for Scalable DNS Service Discovery (dnssd)
Date: 25 October 2013 18:06:40 BST
To: IETF-Announce ietf-annou...@ietf.org
Cc: dnssd WG dn...@ietf.org
Reply-To: i...@ietf.org

A new IETF working group has been formed in the Internet Area. For
additional information please contact the Area Directors or the WG
Chairs.

Extensions for Scalable DNS Service Discovery  (dnssd)

Current Status: Proposed WG

Chairs:
 Ralph Droms rdroms.i...@gmail.com
 Tim Chown t...@ecs.soton.ac.uk

Assigned Area Director:
 Ted Lemon ted.le...@nominum.com

Mailing list
 Address: dn...@ietf.org
 To Subscribe: https://www.ietf.org/mailman/listinfo/dnssd
 Archive: http://www.ietf.org/mail-archive/web/dnssd

Charter:

Background
--

Zero configuration networking protocols are currently well suited to
discover services within the scope of a single link.  In particular,
the DNS-SD [RFC 6763] and mDNS [RFC6762] protocol suite (sometimes
referred to using Apple Computer Inc.'s trademark, Bonjour) are
widely used for DNS-based service discovery and host name resolution
on a single link.

The DNS-SD/mDNS protocol suite is used in many scenarios including
home, campus, and enterprise networks.  However, the zero configuration
mDNS protocol is constrained to link-local multicast scope by design,
and therefore cannot be used to discover services on remote links.

In a home network that consists of a single (possibly bridged) link,
users experience the expected discovery behavior; available services
appear because all devices share a common link.  However, in multi-link
home networks (as envisaged by the homenet WG) or in routed campus or
enterprise networks, devices and users can only discover services on
the same link, which is a significant limitation.  This has led to
calls, such as the Educause petition, to develop an appropriate service
discovery solution to span multiple links or to perform discovery across
a wide area, not necessarily on directly connected links.

In addition, the Smart Energy Profile 2 Application Protocol Standard,
published by ZigBee Alliance and HomePlug Powerline Alliance specifies
the DNS-SD/mDNS protocol suite as the basis for its method of zero
configuration service discovery.  However, its use of wireless mesh
multi-link subnets in conjunction with traditional routed networks will
require extensions to the DNS-SD/mDNS protocols to allow operation
across multiple links.

The scenarios in which multi-link service discovery is required may
be zero configuration environments, environments where administrative
configuration is supported, or a mixture of the two.

As demand for service discovery across wider area routed networks
grows, some vendors are beginning to ship proprietary solutions.  It
is 

Re: [Dnsmasq-discuss] dumping current dhcp leases without always updating the leasefile curing normal ?

[Dave Taht]

On Mon, Oct 14, 2013 at 9:42 AM, Simon Kelley si...@thekelleys.org.uk wrote:
 On 11/10/13 16:37, Rick Jones wrote:

 On 10/11/2013 07:16 AM, Simon Kelley wrote:

 On 11/10/13 01:39, Rick Jones wrote:

 I am still on the steep learning slope for dnsmasq. The manpage lists a
 -l/--dhcp-leasefile option into which dnsmasq will store lease
 information. I gather though that it will be updating that all the time
 as leases come and go.

 Is there a version post 2.59 where one can send dnsmasq a signal to
 cause it to dump a copy of its current lease information to a file, but
 without the continuous updates in normal operation?



 No. there's a mode meant for use on flash filesystems that updates the
 lease file less often, if that helps.


 It might actually. I'll try to take a look at it.


 See also this thread


 http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q3/007555.html


  From that I should take away that the lease file format is not fixed
 and there but for the grace of the developers go I should I start
 grubbing through it, yes? I can accept that.

 More context about what youre trying to achieve would help.


 What I would like to be able to do is know (make an informed guess)
 which of the clients which could have a lease probably have a lease (or
 probably do not have a lease), but in an environment where I might have
 either rather busy dnsmasq processes, or a large number of individually
 not very busy dnsmasq processes and want to minimize the storage load.
 But I don't need to know all the time, just occasionally and not
 necessarily on a schedule and not necessarily all the dnsmasq processes.
 So, I figured some sort of dump your current leases feature would
 satisfy that.

 I cannot really rely on the clients being willing to respond to the
 likes of ping, they may only respond to things they've initiated
 themselves. I also do not have other access to the clients (eg their
 console). So, all I can think of presently is trying to ask the dnsmasq
 process(es) what it believes its active leases happen to be.

 thanks,

 rick
 BTW, sorry about botching the last part of the subject there.


 You could achieve the two aims minimise storage load and know about
 dnsmasq leases by implementing the lease database in some sort of
 lightweight database. Dnsmasq is designed so it can be without a lease file
 completely. At startup you prime the in-memory copy of the lease database
 via a DHCP-script init call, and then whilst dnsmasq is running is makes
 calls to the DHCP script as the data changes which can be used to update the
 database.


 Cheers,

 Simon.


There are also hooks for lua.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Cerowrt-devel] Names not resolved on Wireless

[Dave Taht]

On Oct 11, 2013 4:02 AM, David Personette dper...@gmail.com wrote:

 Sorry, it's still behaving the same for me. Failed back to 3.10.11-3 once
more.

OK I will set aside time Sunday and Monday to poke deeply into this.

I note you probably needent revert all the way back to this version. You
can wget the version of DNSmasq from this versions packages and forcibly
apply it on top of 3.10.15-4 using opkg.

 --
 David P.


 On Thu, Oct 10, 2013 at 8:01 PM, Dave Taht dave.t...@gmail.com wrote:

 3.10.15-4 is now out there, containing sufficient patches to get
 dnsmasq to the current head of tree, and including the patch below.

 http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.15-4/

 On Thu, Oct 10, 2013 at 1:23 PM, Simon Kelley si...@thekelleys.org.uk
wrote:
  Having thought about this more, this patch is necessary
 
 
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=8584c502d37627d8abe18213771b5f4f98cb4aa3
 
  and should fix the bug iff
 
  1) Dnsmasq is configured using --except-interface=upstream interface
and
  there are no --interface=interface we want to provide service on
config
  lines.
 
  2) Exactly one interface that dnsmasq should be listening on is around
when
  it starts, but others arrive later.
 
  I can't explain why it just broke though, this bug has been around
forever.
 
 
 
  Simon.
 
 
 
 
 
  On 10/10/13 19:30, Dave Taht wrote:
 
  On Thu, Oct 10, 2013 at 9:54 AM, Simon Kelleysi...@thekelleys.org.uk
  wrote:
 
 
  Does reverting
 
 
 
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=397542b213ab4071734f1cdf4cc914d87100456f
 
  fix the issue? I fear it might.
 
 
  Seems likely.
 
  I reverted that patch and put it in this build
 
  http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.15-3/
 
  I won't be in a position to test stuff myself til sunday but cero's
  devoted userbase seems to be hoovering over the reload button and will
  probably beat me to it
 
 
 
  Cheers,
 
  Simon.
 
 
 
  On 10/10/13 15:43, Dave Taht wrote:
 
 
  Dear Dr. Dnsmasq:
 
  When cerowrt made the jump between dnsmasq-2.67-test10 and
  dnsmasq-2.67-test17, detection of interfaces other than the first
  started failing. It seems to be related to interfaces that come up
  after dnsmasq starts, as restarting it after the device is fully
  booted works. Have moved forward to 2.67-rc3 to no avail.
 
  (along the way we migrated from kernel 3.10.11 to 3.10.13 to 3.10.15
  but I doubt that's the issue)
 
  Hot, fresh, firmware can be had at:
 
  http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/
 
 
  knacky   [10:39:25] has anyone had IPv4 DHCP problems in the last
two
  3.10.x
  builds?  currently running 3.10.11-3 and it works flawlessly.
  upgraded to 3.10.13-2 and 3.10.15-1 and both present me with an
  identical issue.  upon reboot after upgrading, DHCP leases are no
  longer handed out on the wireless interfaces.  disabling and
  re-enabling DHCP on the wireless interfaces will fix the problem,
but
  the problem
  knacky   [10:39:26] returns after a reboot.  disable/reenable
DHCP on
  the
  interface will again temporarily fix it.
  knacky   [10:42:03] also tried a fresh install (using reset to
  defaults
  option) to avoid anything not properly interpreted from the config
of
  the previous version, but still get the same issue.
 
 
  On Thu, Oct 10, 2013 at 5:30 AM, David Personettedper...@gmail.com
  wrote:
 
 
  Just tested again with 3.10.15-2. My OSX (10.8.5) laptop worked,
  neither
  my
  Nexus 7 (2013 w/CM10.2) or my Fedora 19 laptop could resolve DNS
over
  wireless. My wired Linux server (Ubuntu 12.04.3) was working fine
as
  well.
  Reverted to 3.10.11-3 once more.
 
  --
  David P.
 
 
  On Mon, Oct 7, 2013 at 7:40 PM, David Personettedper...@gmail.com
  wrote:
 
 
 
  I can confirm it as well. I wiped my config back to defaults, and
it
  wasn't fixed. Reinstalled the 3.10.11-3 build, and restored my
configs
  and
  all is well.
 
  --
  David P.
 
 
  On Mon, Oct 7, 2013 at 7:07 PM, Fred Strattonfredstrat...@imap.cc

  wrote:
 
 
 
  True for the last two builds. Wired works as expected.
 
  Is this a problem with the development version of DNSMasq? What
is
  the
  recommended workaround?
 
  ___
  Cerowrt-devel mailing list
  cerowrt-de...@lists.bufferbloat.net
  https://lists.bufferbloat.net/listinfo/cerowrt-devel
 
 
 
 
 
 
  ___
  Cerowrt-devel mailing list
  cerowrt-de...@lists.bufferbloat.net
  https://lists.bufferbloat.net/listinfo/cerowrt-devel
 
 
 
 
 
 
  ___
  Dnsmasq-discuss mailing list
  Dnsmasq-discuss@lists.thekelleys.org.uk
  http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
 
 
 
 
 



 --
 Dave Täht

 Fixing bufferbloat with cerowrt:
http://www.teklibre.com/cerowrt/subscribe.html
 ___
 Cerowrt-devel mailing list
 cerowrt-de

Re: [Dnsmasq-discuss] [Cerowrt-devel] Names not resolved on Wireless

[Dave Taht]

Dear Dr. Dnsmasq:

When cerowrt made the jump between dnsmasq-2.67-test10 and
dnsmasq-2.67-test17, detection of interfaces other than the first
started failing. It seems to be related to interfaces that come up
after dnsmasq starts, as restarting it after the device is fully
booted works. Have moved forward to 2.67-rc3 to no avail.

(along the way we migrated from kernel 3.10.11 to 3.10.13 to 3.10.15
but I doubt that's the issue)

Hot, fresh, firmware can be had at:

http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/


knacky [10:39:25] has anyone had IPv4 DHCP problems in the last two 3.10.x
builds?  currently running 3.10.11-3 and it works flawlessly.
upgraded to 3.10.13-2 and 3.10.15-1 and both present me with an
identical issue.  upon reboot after upgrading, DHCP leases are no
longer handed out on the wireless interfaces.  disabling and
re-enabling DHCP on the wireless interfaces will fix the problem, but
the problem
knacky [10:39:26] returns after a reboot.  disable/reenable DHCP on the
interface will again temporarily fix it.
knacky [10:42:03] also tried a fresh install (using reset to defaults
option) to avoid anything not properly interpreted from the config of
the previous version, but still get the same issue.


On Thu, Oct 10, 2013 at 5:30 AM, David Personette dper...@gmail.com wrote:
 Just tested again with 3.10.15-2. My OSX (10.8.5) laptop worked, neither my
 Nexus 7 (2013 w/CM10.2) or my Fedora 19 laptop could resolve DNS over
 wireless. My wired Linux server (Ubuntu 12.04.3) was working fine as well.
 Reverted to 3.10.11-3 once more.

 --
 David P.


 On Mon, Oct 7, 2013 at 7:40 PM, David Personette dper...@gmail.com wrote:

 I can confirm it as well. I wiped my config back to defaults, and it
 wasn't fixed. Reinstalled the 3.10.11-3 build, and restored my configs and
 all is well.

 --
 David P.


 On Mon, Oct 7, 2013 at 7:07 PM, Fred Stratton fredstrat...@imap.cc
 wrote:

 True for the last two builds. Wired works as expected.

 Is this a problem with the development version of DNSMasq? What is the
 recommended workaround?

 ___
 Cerowrt-devel mailing list
 cerowrt-de...@lists.bufferbloat.net
 https://lists.bufferbloat.net/listinfo/cerowrt-devel




 ___
 Cerowrt-devel mailing list
 cerowrt-de...@lists.bufferbloat.net
 https://lists.bufferbloat.net/listinfo/cerowrt-devel




-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Cerowrt-devel] Names not resolved on Wireless

[Dave Taht]

On Thu, Oct 10, 2013 at 9:54 AM, Simon Kelley si...@thekelleys.org.uk wrote:

 Does reverting

 http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=397542b213ab4071734f1cdf4cc914d87100456f

 fix the issue? I fear it might.

Seems likely.

I reverted that patch and put it in this build

http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.15-3/

I won't be in a position to test stuff myself til sunday but cero's
devoted userbase seems to be hoovering over the reload button and will
probably beat me to it



 Cheers,

 Simon.



 On 10/10/13 15:43, Dave Taht wrote:

 Dear Dr. Dnsmasq:

 When cerowrt made the jump between dnsmasq-2.67-test10 and
 dnsmasq-2.67-test17, detection of interfaces other than the first
 started failing. It seems to be related to interfaces that come up
 after dnsmasq starts, as restarting it after the device is fully
 booted works. Have moved forward to 2.67-rc3 to no avail.

 (along the way we migrated from kernel 3.10.11 to 3.10.13 to 3.10.15
 but I doubt that's the issue)

 Hot, fresh, firmware can be had at:

 http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/


 knacky  [10:39:25] has anyone had IPv4 DHCP problems in the last two
 3.10.x
 builds?  currently running 3.10.11-3 and it works flawlessly.
 upgraded to 3.10.13-2 and 3.10.15-1 and both present me with an
 identical issue.  upon reboot after upgrading, DHCP leases are no
 longer handed out on the wireless interfaces.  disabling and
 re-enabling DHCP on the wireless interfaces will fix the problem, but
 the problem
 knacky  [10:39:26] returns after a reboot.  disable/reenable DHCP on the
 interface will again temporarily fix it.
 knacky  [10:42:03] also tried a fresh install (using reset to defaults
 option) to avoid anything not properly interpreted from the config of
 the previous version, but still get the same issue.


 On Thu, Oct 10, 2013 at 5:30 AM, David Personettedper...@gmail.com
 wrote:

 Just tested again with 3.10.15-2. My OSX (10.8.5) laptop worked, neither
 my
 Nexus 7 (2013 w/CM10.2) or my Fedora 19 laptop could resolve DNS over
 wireless. My wired Linux server (Ubuntu 12.04.3) was working fine as
 well.
 Reverted to 3.10.11-3 once more.

 --
 David P.


 On Mon, Oct 7, 2013 at 7:40 PM, David Personettedper...@gmail.com
 wrote:


 I can confirm it as well. I wiped my config back to defaults, and it
 wasn't fixed. Reinstalled the 3.10.11-3 build, and restored my configs
 and
 all is well.

 --
 David P.


 On Mon, Oct 7, 2013 at 7:07 PM, Fred Strattonfredstrat...@imap.cc
 wrote:


 True for the last two builds. Wired works as expected.

 Is this a problem with the development version of DNSMasq? What is the
 recommended workaround?

 ___
 Cerowrt-devel mailing list
 cerowrt-de...@lists.bufferbloat.net
 https://lists.bufferbloat.net/listinfo/cerowrt-devel





 ___
 Cerowrt-devel mailing list
 cerowrt-de...@lists.bufferbloat.net
 https://lists.bufferbloat.net/listinfo/cerowrt-devel






 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Cerowrt-devel] Names not resolved on Wireless

[Dave Taht]

3.10.15-4 is now out there, containing sufficient patches to get
dnsmasq to the current head of tree, and including the patch below.

http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.15-4/

On Thu, Oct 10, 2013 at 1:23 PM, Simon Kelley si...@thekelleys.org.uk wrote:
 Having thought about this more, this patch is necessary

 http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=8584c502d37627d8abe18213771b5f4f98cb4aa3

 and should fix the bug iff

 1) Dnsmasq is configured using --except-interface=upstream interface and
 there are no --interface=interface we want to provide service on config
 lines.

 2) Exactly one interface that dnsmasq should be listening on is around when
 it starts, but others arrive later.

 I can't explain why it just broke though, this bug has been around forever.



 Simon.





 On 10/10/13 19:30, Dave Taht wrote:

 On Thu, Oct 10, 2013 at 9:54 AM, Simon Kelleysi...@thekelleys.org.uk
 wrote:


 Does reverting


 http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=397542b213ab4071734f1cdf4cc914d87100456f

 fix the issue? I fear it might.


 Seems likely.

 I reverted that patch and put it in this build

 http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.15-3/

 I won't be in a position to test stuff myself til sunday but cero's
 devoted userbase seems to be hoovering over the reload button and will
 probably beat me to it



 Cheers,

 Simon.



 On 10/10/13 15:43, Dave Taht wrote:


 Dear Dr. Dnsmasq:

 When cerowrt made the jump between dnsmasq-2.67-test10 and
 dnsmasq-2.67-test17, detection of interfaces other than the first
 started failing. It seems to be related to interfaces that come up
 after dnsmasq starts, as restarting it after the device is fully
 booted works. Have moved forward to 2.67-rc3 to no avail.

 (along the way we migrated from kernel 3.10.11 to 3.10.13 to 3.10.15
 but I doubt that's the issue)

 Hot, fresh, firmware can be had at:

 http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/


 knacky   [10:39:25] has anyone had IPv4 DHCP problems in the last two
 3.10.x
 builds?  currently running 3.10.11-3 and it works flawlessly.
 upgraded to 3.10.13-2 and 3.10.15-1 and both present me with an
 identical issue.  upon reboot after upgrading, DHCP leases are no
 longer handed out on the wireless interfaces.  disabling and
 re-enabling DHCP on the wireless interfaces will fix the problem, but
 the problem
 knacky   [10:39:26] returns after a reboot.  disable/reenable DHCP on
 the
 interface will again temporarily fix it.
 knacky   [10:42:03] also tried a fresh install (using reset to
 defaults
 option) to avoid anything not properly interpreted from the config of
 the previous version, but still get the same issue.


 On Thu, Oct 10, 2013 at 5:30 AM, David Personettedper...@gmail.com
 wrote:


 Just tested again with 3.10.15-2. My OSX (10.8.5) laptop worked,
 neither
 my
 Nexus 7 (2013 w/CM10.2) or my Fedora 19 laptop could resolve DNS over
 wireless. My wired Linux server (Ubuntu 12.04.3) was working fine as
 well.
 Reverted to 3.10.11-3 once more.

 --
 David P.


 On Mon, Oct 7, 2013 at 7:40 PM, David Personettedper...@gmail.com
 wrote:



 I can confirm it as well. I wiped my config back to defaults, and it
 wasn't fixed. Reinstalled the 3.10.11-3 build, and restored my configs
 and
 all is well.

 --
 David P.


 On Mon, Oct 7, 2013 at 7:07 PM, Fred Strattonfredstrat...@imap.cc
 wrote:



 True for the last two builds. Wired works as expected.

 Is this a problem with the development version of DNSMasq? What is
 the
 recommended workaround?

 ___
 Cerowrt-devel mailing list
 cerowrt-de...@lists.bufferbloat.net
 https://lists.bufferbloat.net/listinfo/cerowrt-devel






 ___
 Cerowrt-devel mailing list
 cerowrt-de...@lists.bufferbloat.net
 https://lists.bufferbloat.net/listinfo/cerowrt-devel






 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss








-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss