[Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures

Simon Kelley simon at thekelleys.org.uk
Wed Apr 23 19:04:35 UTC 2014


On 23/04/14 18:29, Dave Taht wrote:
> On Wed, Apr 23, 2014 at 10:18 AM, Aaron Wood <woody77 at gmail.com> wrote:
>> On Wed, Apr 23, 2014 at 6:44 PM, Robert Bradley <robert.bradley1 at gmail.com>
>> wrote:
>>>
>>>
>>>> ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 a
>>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>>> <snip rest of NOERROR response>
>>>>
>>>> But a query for DS on the same domain, which is what dnsmasq does next,
>>>> returns SERVFAIL, _even_with_ checking disabled.
>>>>
>>>> ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 ds
>>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>>> <snip SERVFAIL response>
>>>
>>> This looks identical to the *.cloudflare.com issue I had last week.  In
>>> both cases, using Level 3's 4.2.2.2 instead of Google DNS works fine,
>>> and 8.8.8.8 returns SERVFAIL for DS lookups.  This looks like a bug in
>>> Google's DNS servers as opposed to dnsmasq...
>>
>>
>> A question about dnsmasq and multiple servers.  If I listed both 4.2.2.2 and
>> 8.8.8.8 in my dnsmasq configuration, how would dnsmasq behave in this case?
>> would it query both for the DS?  or just "stick" with the first server to
>> start responding with an A-record?
> 
> By default dnsmasq probes for a "best" upstream dns server periodically
> and uses that.

subsequent queries needed to do DNSSEC validation of an initial answer
are always sent to the same server which provided that answer.


Simon.

> 
>>
>> (I confess that I don't know the details of DNS very well)
>>
>> -Aaron
>>
>> _______________________________________________
>> Cerowrt-devel mailing list
>> Cerowrt-devel at lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>>
> 
> 
> 




More information about the Dnsmasq-discuss mailing list