Re: [Dnsmasq-discuss] dnscrypt -dnssec problems
On May 25, 2016, at 4:08 PM, wkitt...@gmail.com wrote: > On 05/25/2016 03:24 PM, Johnny Appleseed wrote: >> dig +dnssec wikipedia.org >> ;; Truncated, retrying in TCP mode. >> >> ; <<>> DiG 9.8.3-P1 <<>> +dnssec wikipedia.org >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33183 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags: do; udp: 4096 > > why is this EDNS udp 4096 but > > [...] >> dig +dnssec wikipedia.org >> >> ; <<>> DiG 9.8.3-P1 <<>> +dnssec wikipedia.org >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13239 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags: do; udp: 1280 > > this one is only 1280?? It would seem the "EDNS ... udp: 4096" query is using dnscrypt-proxy but the "EDNS ... udp: 1280" query is not. Johnny, possibly you need "no-resolv" in your dnsmasq.conf ? I assume you have something like: -- server=127.0.0.1#2053 -- pointing to your dnscrypt-proxy instance. You may also look into using "proxy-dnssec" if you trust your upstream server's DNSSEC since it traveling over a secure dnscrypt-proxy connection. Lonnie ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnscrypt -dnssec problems
On 05/25/2016 03:24 PM, Johnny Appleseed wrote: dig +dnssec wikipedia.org ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.8.3-P1 <<>> +dnssec wikipedia.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33183 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 why is this EDNS udp 4096 but [...] dig +dnssec wikipedia.org ; <<>> DiG 9.8.3-P1 <<>> +dnssec wikipedia.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13239 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1280 this one is only 1280?? -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dnscrypt -dnssec problems
dig +dnssec wikipedia.org ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.8.3-P1 <<>> +dnssec wikipedia.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33183 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;wikipedia.org.INA ;; Query time: 391 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed May 25 13:17:10 2016 ;; MSG SIZE rcvd: 42 dig +dnssec wikipedia.org ; <<>> DiG 9.8.3-P1 <<>> +dnssec wikipedia.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13239 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1280 ;; QUESTION SECTION: ;wikipedia.org.INA ;; ANSWER SECTION: wikipedia.org.3INA91.198.174.192 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed May 25 13:23:38 2016 ;; MSG SIZE rcvd: 58 WHY??? WTF ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss