Re: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures

2014-04-24 Thread Aaron Wood
On Wed, Apr 23, 2014 at 5:58 PM, Simon Kelley si...@thekelleys.org.ukwrote: On 23/04/14 16:42, Dave Taht wrote: I will argue that a better place to report dnssec validation errors is the dnsmasq list. On Wed, Apr 23, 2014 at 8:31 AM, Aaron Wood wood...@gmail.com wrote: Wed Apr 23

Re: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures

2014-04-24 Thread Simon Kelley
On 24/04/14 11:49, Aaron Wood wrote: Dnsmasq does the DS query next because the answer to the A query comes back unsigned, so dnsmasq is looking for a DS record that proves this is OK. It's likely that Verisign does that top-down (starting from the root) whilst dnsmasq does it bottom up.

Re: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures

2014-04-24 Thread Aaron Wood
Well, I'm seeing the same results as you are from here in Paris (using Free.fr). -Aaron On Thu, Apr 24, 2014 at 1:27 PM, Simon Kelley si...@thekelleys.org.ukwrote: On 24/04/14 11:49, Aaron Wood wrote: Dnsmasq does the DS query next because the answer to the A query comes back unsigned,

Re: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures

2014-04-24 Thread Aaron Wood
And if I use Free.fr's servers, the DS resolves (I'm running CeroWRT double-NAT behind a Freebox v6): dig @192.168.1.254 DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net ; DiG 9.8.5-P1 @192.168.1.254 DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net ; (1 server found) ;; global options:

Re: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures

2014-04-24 Thread Dave Taht
What does unbound or bind do? On Thu, Apr 24, 2014 at 5:35 AM, Aaron Wood wood...@gmail.com wrote: And if I use Free.fr's servers, the DS resolves (I'm running CeroWRT double-NAT behind a Freebox v6): dig @192.168.1.254 DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net ; DiG 9.8.5-P1

Re: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures

2014-04-23 Thread Dave Taht
I will argue that a better place to report dnssec validation errors is the dnsmasq list. On Wed, Apr 23, 2014 at 8:31 AM, Aaron Wood wood...@gmail.com wrote: Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: query[A] e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net from 172.30.42.99 Wed

Re: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures

2014-04-23 Thread Simon Kelley
On 23/04/14 16:42, Dave Taht wrote: I will argue that a better place to report dnssec validation errors is the dnsmasq list. On Wed, Apr 23, 2014 at 8:31 AM, Aaron Wood wood...@gmail.com wrote: Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: query[A]

Re: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures

2014-04-23 Thread Dave Taht
On Wed, Apr 23, 2014 at 10:18 AM, Aaron Wood wood...@gmail.com wrote: On Wed, Apr 23, 2014 at 6:44 PM, Robert Bradley robert.bradl...@gmail.com wrote: ; DiG 9.8.1-P1 +cd @8.8.8.8 a e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net snip rest of NOERROR response But a query for DS on

Re: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures

2014-04-23 Thread Simon Kelley
On 23/04/14 18:29, Dave Taht wrote: On Wed, Apr 23, 2014 at 10:18 AM, Aaron Wood wood...@gmail.com wrote: On Wed, Apr 23, 2014 at 6:44 PM, Robert Bradley robert.bradl...@gmail.com wrote: ; DiG 9.8.1-P1 +cd @8.8.8.8 a e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net snip rest of NOERROR