<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
On 11-7-2016 23:08, Simon Kelley wrote:<br>
<blockquote type="cite"
cite="mid:57840ACF.9030407@thekelleys.org.uk">I just tried all
those domains using 2.76 and 8.8.8.8 upstream and all
<pre wrap="">behaved correctly. 194.109.9.99 won't talk to me, so I can't try that.
The upstream is clearly answering the direct question OK, but the
stalling of some of the DNSSEC queries needed to verify it. That could
be an upstream problem, or a problem with the authoritative servers for
the domain. <a class="moz-txt-link-abbreviated" href="ftp://ftp.mozilla.org">ftp.mozilla.org</a> is signed, but it's a CNAME to
cloudfront.org, so the DS from .org proving that cloudfront.org is not
signed is also required.
Are you still seeing the problem now, or has this resolved itself?
Cheers,
Simon.
</pre>
</blockquote>
<br>
Thanks Simon for your reply and testing. I have now tried with
8.8.8.8 and I have the same problem.<br>
<br>
I see that the DNSSEC on firefox.com and mozilla.com are now
disabled and I don't get a "ad" on them when I use dig and the
output of DNSmask states INSECURE. So maybe Mozilla is now working
around that problem.<br>
<br>
mozilla.org will not resolve on 8.8.8.8 or 194.109.9.9 and the
<a class="moz-txt-link-abbreviated" href="ftp://ftp.mozilla">ftp.mozilla</a> goes indeed through Cloudfront bit is not secure.<br>
.<br>
.<br>
.<br>
I have been testing a few setting...a lot of settings and
combinations in the past hours and have now way to get a good
response from DNSmasq.<br>
<br>
I first use "<i>dig +dnssec +multi mozilla.org @127.0.0.1</i>" which
seems to have more patience in waiting for a response. DNSmasq seems
to do only one try when using dig and not three as with nslookup.
DNSmasq is thinking about four seconds and then give a valid
response using dig. <br>
<br>
dnsmasq: dnssec-query[DNSKEY] mozilla.org to 8.8.8.8<br>
dnsmasq: reply mozilla.org is DNSKEY keytag 22205, algo 7<br>
dnsmasq: reply mozilla.org is DNSKEY keytag 65337, algo 7<br>
dnsmasq: reply mozilla.org is DNSKEY keytag 44421, algo 7<br>
dnsmasq: reply mozilla.org is DNSKEY keytag 42422, algo 7<br>
dnsmasq: validation result is SECURE<br>
dnsmasq: reply mozilla.org is 63.245.215.20<br>
<br>
So on my standard upstream server:<br>
dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99<br>
dnsmasq: reply mozilla.org is DNSKEY keytag 65337, algo 7<br>
dnsmasq: reply mozilla.org is DNSKEY keytag 22205, algo 7<br>
dnsmasq: reply mozilla.org is DNSKEY keytag 44421, algo 7<br>
dnsmasq: reply mozilla.org is DNSKEY keytag 42422, algo 7<br>
dnsmasq: validation result is SECURE<br>
dnsmasq: reply mozilla.org is 63.245.215.20<br>
<br>
Now the information is in the cache and a next request is instant.<br>
<br>
Also <a class="moz-txt-link-abbreviated" href="ftp://ftp.mozilla.org">ftp.mozilla.org</a> is instant now but insecure:<br>
<br>
dnsmasq: forwarded <a class="moz-txt-link-abbreviated" href="ftp://ftp.mozilla.org">ftp.mozilla.org</a> to 194.109.9.99<br>
dnsmasq: validation result is INSECURE<br>
dnsmasq: reply <a class="moz-txt-link-abbreviated" href="ftp://ftp.mozilla.org">ftp.mozilla.org</a> is <CNAME><br>
dnsmasq: reply d34chcsvb7ug62.cloudfront.net is 52.85.250.4<br>
dnsmasq: query[AAAA] <a class="moz-txt-link-abbreviated" href="ftp://ftp.mozilla.org">ftp.mozilla.org</a> from 192.168.21.190<br>
dnsmasq: cached <a class="moz-txt-link-abbreviated" href="ftp://ftp.mozilla.org">ftp.mozilla.org</a> is <CNAME><br>
dnsmasq: forwarded <a class="moz-txt-link-abbreviated" href="ftp://ftp.mozilla.org">ftp.mozilla.org</a> to 194.109.9.99<br>
dnsmasq: validation result is INSECURE<br>
dnsmasq: reply <a class="moz-txt-link-abbreviated" href="ftp://ftp.mozilla.org">ftp.mozilla.org</a> is <CNAME><br>
<br>
And if I don't use dig mozilla.org or <a class="moz-txt-link-abbreviated" href="ftp://ftp.mozilla.org">ftp.mozilla.org</a> before the
nslookup, it times out again:<br>
<br>
dnsmasq: reply . is DNSKEY keytag 46551, algo 8<br>
dnsmasq: reply . is DNSKEY keytag 19036, algo 8<br>
dnsmasq: reply org is DS keytag 9795, algo 7, digest 1<br>
dnsmasq: reply org is DS keytag 9795, algo 7, digest 2<br>
dnsmasq: dnssec-query[DS] mozilla.org to 194.109.9.99<br>
dnsmasq: dnssec-query[DNSKEY] org to 194.109.9.99<br>
dnsmasq: reply org is DNSKEY keytag 3177, algo 7<br>
dnsmasq: reply org is DNSKEY keytag 2097, algo 7<br>
dnsmasq: reply org is DNSKEY keytag 9795, algo 7<br>
dnsmasq: reply org is DNSKEY keytag 17883, algo 7<br>
dnsmasq: reply mozilla.org is DS keytag 44421, algo 7, digest 1<br>
dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99<br>
dnsmasq: query[AAAA] <a class="moz-txt-link-abbreviated" href="ftp://ftp.mozilla.org">ftp.mozilla.org</a> from 192.168.21.190<br>
dnsmasq: forwarded <a class="moz-txt-link-abbreviated" href="ftp://ftp.mozilla.org">ftp.mozilla.org</a> to 194.109.9.99<br>
dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99<br>
dnsmasq: query[A] <a class="moz-txt-link-abbreviated" href="ftp://ftp.mozilla.org">ftp.mozilla.org</a> from 192.168.21.190<br>
dnsmasq: forwarded <a class="moz-txt-link-abbreviated" href="ftp://ftp.mozilla.org">ftp.mozilla.org</a> to 194.109.9.99<br>
dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99<br>
dnsmasq: query[AAAA] <a class="moz-txt-link-abbreviated" href="ftp://ftp.mozilla.org">ftp.mozilla.org</a> from 192.168.21.190<br>
dnsmasq: forwarded <a class="moz-txt-link-abbreviated" href="ftp://ftp.mozilla.org">ftp.mozilla.org</a> to 194.109.9.99<br>
dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99<br>
<br>
Cheers, Marcel<br>
</body>
</html>