[380 legacy] DNSSEC no longer compatible with 380.70

[RMerlin]

Root nameservers switched to a newer signature key. 380.70 only contains the old signature. People still running that older firmware and using DNSSEC will have to enable custom script support (Administration -> System), and create a /jffs/configs/dnsmasq.conf.add file, with the following content:

trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

384.7 users are not affected, as this firmware already contains both keys.

 

[TonyK132]

Once I make this change, what test can I perform to verify that this fix is working?

 

[AndreiV]

Once I make this change, what test can I perform to verify that this fix is working?

Google for one of the many DNSSEC checkers.

DNSSEC Checker

 

[TonyK132]

That's not very helpful. I tried several of the checkers and get what looks like mixed results, so I cannot tell if it is really working. But thanks for your response anyway.

Thank you.

 

[Ook]

This is a good test to see if your DNS lookup has used DNSSEC:
https://dnssec.vs.uni-due.de

 

[TonyK132]

Thanks, that is helpful. But sadly it tells me that my DNS resolver does NOT validate DNSSEC signatures. But I have DNSSEC support enabled, and I added the file with the above info (at least I think I did). I'm using PIA VPN with the DNS Configuration set to Strict. What have I setup incorrectly?

 

[TonyK132]

I figured it out. I was using OpenDNS, which does not support DNSSEC. I think PIA also uses OpenDNS. When I changed my DNSs to Google and others, all is now OK.

 

[Kronyx]

I use 1.1.1.1 DNS and it support DNSSEC

 

[Jasso]

Any chance of an idiots guide on how to do this

 

[Kronyx]

Any chance of an idiots guide on how to do this

Read the first post, everything is there to achieve the task.

 

[64bitguy]

Just to be clear... because I didn't see anything about creating the file or getting it in there in your instructions so....Yeah.. the first time I did this, my router went zonkers and locked me out. Couldn't even get in on a hard line.

Had to do a VRAM reset and of course lost all of my settings.. so here we are clean again.

And that's when I learned what it is doing.

This solution is untennable. Or at least not very realistic... at least for me. Using internal jffs is fine, until you reboot. Then it gets wiped, and does a hard reset to defaults.

Anyway... after settings up my Wireless names and admin password... for the 3rd or 4th time, I figured out what is going on...

Correct me if I'm doing something wrong here.... PLEASE.. God... I hope I'm doing something wrong here.

Administration -> System -> Enable jffs
Scroll down, "Enable Telnet"
Apply

Then telnet to 192.168.1.1 and use Admin account and password just set to login.

Then

cd /jffs/configs

Then

vi dnsmasq.conf

Then paste in the above statement.
Then save by hitting "ESC" and then typing ":w" (without the quotes)
Then quit by hitting "ESC" and then typing ":x" (without the quotes)
Then back at telnet prompt, type "cat dnsmasq.conf" (without the quotes) ... Just for good measure to make sure it's correct.
Then at the prompt type "exit" (without the quotes) to close the telnet session.

Meanwhile, back on a your computer, you can no ping those addresses that woudn't ping with DNSSEC enabled before (like asuswrt-merlin.net) and they return IP Addresses...Great...

Then everything is "hunkydory" in terms of the pinging and navigating.

And then you reboot.. and lose everything including any custom settings and yes.. even that file you just wrote.

Sigh...

I realize this isn't going to come off well; but this whole jffs non-solution seems pretty weak for a one line bug fix. I mean.. if there were ever a reason to put out ONE MORE UPDATE to a firmware.. this is it.

In the meantime... I hope someone will tell me that I'm doing something completely wrong.. because I've tried about 4 different ways to do this and it all ends with tears the minute I need to reboot this router.

 

[predatorz]

I figured it out. I was using OpenDNS, which does not support DNSSEC. I think PIA also uses OpenDNS. When I changed my DNSs to Google and others, all is now OK.

OpenDNS support DNSSEC (https://support.opendns.com/hc/en-us/articles/360039659971-DNSSEC-General-Availability).
Have also tested it out, dnssec work fine using OpenDNS.

 

[dave14305]

In the meantime... I hope someone will tell me that I'm doing something completely wrong.. because I've tried about 4 different ways to do this and it all ends with tears the minute I need to reboot this router.

You must create dnsmasq.conf.add not dnsmasq.conf. The contents of .add get appended to the main dnsmasq.conf. When you create dnsmasq.conf, it fully replaces the firmware-generated config, so yes it would go nuts.

 

[bbunge]

Guide for customizing config files: https://github.com/RMerl/asuswrt-merlin.ng/wiki/Custom-config-files
If you are a Windows user most of these files can be created and managed with WinSCP and Putty when SSH access is enabled on the Asus router.

 

[64bitguy]

You must create dnsmasq.conf.add not dnsmasq.conf. The contents of .add get appended to the main dnsmasq.conf. When you create dnsmasq.conf, it fully replaces the firmware-generated config, so yes it would go nuts.

LOL...

Goodness gracious.. I read that 5 times as "add file" .. sheesh.. I'm old.

Yeah... that was the answer!

All of my procedures worked the same (but now with the correct filename of "dnsmasq.conf.add" and I was able to reboot without the router hard resetting itself...

The only question remaining is.. do I need to leave jffs enabled forever for that to get added at every reboot? Or can I disable now that this is done? Sadly, I'm assuming I won't be able to shut jffs down.

 

[dave14305]

The only question remaining is.. do I need to leave jffs enabled forever for that to get added at every reboot? Or can I disable now that this is done? Sadly, I'm assuming I won't be able to shut jffs down.

Yes you need to leave it enabled forever, so that the firmware will know to read that custom config file every time dnsmasq restarts. If that's the only file though, there's little risk of things going crazy in the future.

It really would be better to switch to John's LTS fork. It's still actively developed and current, even though the baseline is an older 374 version, most components are upgraded as new as possible. Wireless drivers haven't changed in a long time, so it's really just features and most importantly, security updates you'll get on the LTS fork. Then this dnsmasq.conf.add hack won't be necessary.

 

[ScubaCat]

vi dnsmasq.conf

Very tiny suggestion to use nano for newbies. It's a much simpler editor and the commands are right there on the bottom (CTRL-X to save&exit). I use vi, myself, but if you're not familiar with or literate on Unix platforms, nano (formerly pico) is the way to go:

nano dnsmasq.conf