Post by Simon KelleyPost by Jim GettysMore specifically, after boot, most of the time test-ipv6.com reports lots
of problems.
Then I turned off both dnssec and dnssec-check-unsigned, and restarted
dnsmasq; clean bill of health from test-ipv6.com.
Then I turned on dnssec only, leaving dnssec-check-unsigned, and got a
clean bill of health.
Then I turned on both at the same time, and things are working.
So we seem to have a boot time race of some sort.
- Jim
test-ipv6.com is unsigned, so the important thing which is likely
failing is the query for the DS record of test-ipv6.com, which should
return NSEC records providing it doesn't exist, signed by .com
According to http://dnssec-debugger.verisignlabs.com/test-ipv6.com
test-ipv6.com
No DS records found for test-ipv6.com in the com zone
Query to ns1.test-ipv6.com/216.218.228.118 for test-ipv6.com/DNSKEY timed out or failed
Query to ns2.test-ipv6.com/209.128.193.197 for test-ipv6.com/DNSKEY timed out or failed
Failed to get DNSKEY RR set for zone test-ipv6.com
No response from test-ipv6.com nameservers
Compare this to a domain that works with check-unsigned on:
openwrt.org
No DS records found for openwrt.org in the org zone
No DNSKEY records found
openwrt.org A RR has value 78.24.191.177
No RRSIGs found
Is the timeout/failed DNSKEY reply for test-ipv6.com the problem?
with dnssec-check-unsigned turned on (and no IPv6, just IPv4) I get this:
dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12
dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1
dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1
dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1
dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12
dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1
dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1
dnsmasq: query[A] test-ipv6.com from 172.30.42.12
dnsmasq: forwarded test-ipv6.com to 213.154.124.1
dnsmasq: dnssec-query[DS] test-ipv6.com to 213.154.124.1
dnsmasq: dnssec-query[DNSKEY] com to 213.154.124.1
dnsmasq: dnssec-query[DS] com to 213.154.124.1
dnsmasq: dnssec-query[DNSKEY] . to 213.154.124.1
dnsmasq: reply . is DNSKEY keytag 40926
dnsmasq: reply . is DNSKEY keytag 19036
dnsmasq: reply com is DS keytag 30909
dnsmasq: reply com is DNSKEY keytag 30909
dnsmasq: reply com is DNSKEY keytag 56657
dnsmasq: validation result is INSECURE
dnsmasq: reply test-ipv6.com is 216.218.228.119
dnsmasq: query[A] ipv4.test-ipv6.com.home.lan from 172.30.42.12
dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN
dnsmasq: query[AAAA] ipv4.test-ipv6.com.home.lan from 172.30.42.12
dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN
dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12
dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1
dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 213.154.124.1
dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12
dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1
dnsmasq: query[A] ipv6.test-ipv6.com from 172.30.42.12
dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1
dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 213.154.124.1
dnsmasq: query[AAAA] ipv6.test-ipv6.com from 172.30.42.12
dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1
dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 213.154.124.1
dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 213.154.124.1
dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12
dnsmasq: dnssec retry to 213.154.124.1
dnsmasq: reply ipv4.test-ipv6.com is BOGUS DS
dnsmasq: validation result is BOGUS
dnsmasq: reply ipv4.test-ipv6.com is 216.218.228.119
dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1
dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1
dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12
dnsmasq: dnssec retry to 213.154.124.1
dnsmasq: query[A] ipv6.test-ipv6.com from 172.30.42.12
dnsmasq: dnssec retry to 213.154.124.1
dnsmasq: query[AAAA] ipv6.test-ipv6.com from 172.30.42.12
dnsmasq: dnssec retry to 213.154.124.1
dnsmasq: query[A] ipv4.test-ipv6.com.home.lan from 172.30.42.12
dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN
dnsmasq: query[AAAA] ipv4.test-ipv6.com.home.lan from 172.30.42.12
dnsmasq: config ipv4.test-ipv6.com.home.lan is NXDOMAIN
dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1
dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1
dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1
dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1
dnsmasq: query[A] ipv6.test-ipv6.com.home.lan from 172.30.42.12
dnsmasq: config ipv6.test-ipv6.com.home.lan is NXDOMAIN
dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1
dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1
dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1
dnsmasq: forwarded ipv6.test-ipv6.com to 213.154.124.1
dnsmasq: query[AAAA] ipv6.test-ipv6.com.home.lan from 172.30.42.12
dnsmasq: config ipv6.test-ipv6.com.home.lan is NXDOMAIN
dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12
dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1
dnsmasq: forwarded ipv4.test-ipv6.com to 213.154.124.1
dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1
dnsmasq: query[AAAA] ipv4.test-ipv6.com from 172.30.42.12
dnsmasq: forwarded ipv4.test-ipv6.com to 193.231.252.1
dnsmasq: dnssec-query[DS] ipv4.test-ipv6.com to 193.231.252.1
dnsmasq: query[A] ipv6.test-ipv6.com from 172.30.42.12
dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1
dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 193.231.252.1
dnsmasq: query[AAAA] ipv6.test-ipv6.com from 172.30.42.12
dnsmasq: forwarded ipv6.test-ipv6.com to 193.231.252.1
dnsmasq: dnssec-query[DS] ipv6.test-ipv6.com to 193.231.252.1
dnsmasq: query[A] ipv4.test-ipv6.com from 172.30.42.12
dnsmasq: dnssec retry to 193.231.252.1
dnsmasq: reply ipv4.test-ipv6.com is BOGUS DS
dnsmasq: validation result is BOGUS
dnsmasq: reply ipv4.test-ipv6.com is 216.218.228.119
dnsmasq: reply ipv4.test-ipv6.com is BOGUS DS
dnsmasq: validation result is BOGUS
dnsmasq: reply ipv4.test-ipv6.com is NODATA-IPv6