Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Enable DNSSEC support question

Discussion in 'Asuswrt-Merlin' started by jgrove, Mar 6, 2016.

  1. jgrove

    jgrove Regular Contributor

    Joined:
    Jul 16, 2009
    Messages:
    51
    Hi All,

    Should i turn on the option "Enable DNSSEC support" in Merlins firmware? Sorry for such a bland question,

    Thanks
     
    netmik3 likes this.
  2. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    24,608
    Location:
    Canada
    sfx2000 and jgrove like this.
  3. jgrove

    jgrove Regular Contributor

    Joined:
    Jul 16, 2009
    Messages:
    51
    Thank you i appreciate your post,

    Regards
     
  4. peraburek

    peraburek Regular Contributor

    Joined:
    Mar 13, 2015
    Messages:
    148
    I am using OpenDNS servers (they should be DNSSEC capable)

    here is DNSSEC test, but I can't get it to work :((
    http://dnssec.vs.uni-due.de/

    on LAN - DHCP Server - DNSSEC is Enabled

    any idea how to test this, get it working?
    AC68U running - 380.58_alpha3
     
    Last edited: Mar 10, 2016
    netmik3 likes this.
  5. Veldkornet

    Veldkornet Senior Member

    Joined:
    May 24, 2015
    Messages:
    241
    Location:
    Nederland
    OpenDNS does not have DNSSEC, they only have DNSCrypt

    You can try Google's DNS servers, they are DNSSEC capable, although they don't have DNSCrypt.

    8.8.8.8
    8.8.4.4
    2001:4860:4860::8888
    2001:4860:4860::8844

    DNSCrypt.eu is both DNSSEC and DNSCrypt capable, never tried them myself though.

    Here's some more DNSSEC test pages:

    http://dnssec-tools.org/ (Gives Green Pass message)
    http://www.dnssec-failed.org/ (Page Shouldn’t Display if working)
    https://dnssectest.sidnlabs.nl/ (Gives Green Pass Tick)
    http://www.dnssec.nl/home.html (Gives green ticks of DNSSEC and IPv6 on top of page)

    Sent from my iPhone using Tapatalk
     
    Last edited: Mar 10, 2016
    Makaveli and netmik3 like this.
  6. peraburek

    peraburek Regular Contributor

    Joined:
    Mar 13, 2015
    Messages:
    148
    @Veldkornet - thank you, it works with google public dns
    I didn't knew that OpenDNS doesn't support DNSSEC
    I have red something about OpenDNS and DNSCrypt, but I don't recall if they have stated anywhere they don't support DNSSEC. Anyway, issue is resolved :) cheers
     
  7. Veldkornet

    Veldkornet Senior Member

    Joined:
    May 24, 2015
    Messages:
    241
    Location:
    Nederland
    OpenDNS do say the following here on their site:

    So I found it weird that they don't support it. But to be sure, I logged a ticket with them and got the following response:


    Sent from my iPhone using Tapatalk
     
    trentm1 likes this.
  8. peraburek

    peraburek Regular Contributor

    Joined:
    Mar 13, 2015
    Messages:
    148
    thank you @Veldkornet - for asking OpenDNS if/when they will support DNSSEC

    as you said, quoting their sentence "DNSCrypt and DNSSEC are complementary." it makes no sense they don't support DNSSEC if they have to run DNSSEC in order for DNSCrypt to work
    I have changed for the moment to Google Public DNS
     
  9. Veldkornet

    Veldkornet Senior Member

    Joined:
    May 24, 2015
    Messages:
    241
    Location:
    Nederland
    FYI, I see on the OpenDNS site you can "vote" to have it implemented here.
    Currently only 5 people have voted for it.
     
  10. Zirescu

    Zirescu Very Senior Member

    Joined:
    Jul 16, 2013
    Messages:
    673
    Location:
    Kelowna, BC
    No, DNSSEC isn't required for DNSCrypt to work.
     
  11. Veldkornet

    Veldkornet Senior Member

    Joined:
    May 24, 2015
    Messages:
    241
    Location:
    Nederland
    Yes we know... I think you misread the posts.
     
  12. Zirescu

    Zirescu Very Senior Member

    Joined:
    Jul 16, 2013
    Messages:
    673
    Location:
    Kelowna, BC
    Pretty sure I didn't: "it makes no sense they don't support DNSSEC if they have to run DNSSEC in order for DNSCrypt to work"
     
  13. choleric

    choleric Occasional Visitor

    Joined:
    Jan 26, 2014
    Messages:
    26
    Location:
    USA
    Bit of an old thread, sorry. I hope it's not too late to do a little CPR on it.

    I had never enabled the DNSSEC setting until now. Looks like the provider I've been using, Norton ConnectSafe, supports DNSSEC.

    https://dns.norton.com/

    HTH
     
  14. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    11,645
    Location:
    San Diego, CA
    L&LD likes this.
  15. Morac

    Morac Regular Contributor

    Joined:
    Aug 21, 2016
    Messages:
    71
    Sorry for bumping an old thread, but I have a question. I have Comcast which has DNSSEC enable DNS. I have not turned on the "Enable DNSSEC support" option in the Merlin firmware, yet I still indications that DNSSEC is working when I go to the test pages listed in this thread?

    Any idea why that is? What exactly does the "Enable DNSSEC support" option do then? Does it just enable DNSSEC support for the router's DNS server?
     
  16. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    24,608
    Location:
    Canada
    What DNS are you using on your test computer? If you aren't using your router's IP but directly using the ISP's DNS, that would be why.
     
  17. Morac

    Morac Regular Contributor

    Joined:
    Aug 21, 2016
    Messages:
    71
    DNS is the router's ip address.
     
  18. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    24,608
    Location:
    Canada
    Then I have no idea how it could be reporting DNSSEC support, unless something in their test is flawed.
     
  19. Morac

    Morac Regular Contributor

    Joined:
    Aug 21, 2016
    Messages:
    71
    I tested a bunch of sites and all sites are reporting DNSSEC is active.

    Is the router simply passing along DNS requests to the WAN DHCP assigned DNS servers if they have DNSSEC in them?
     
    Last edited: Aug 24, 2016
  20. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    24,608
    Location:
    Canada
    The router passes the request to upstream servers, howver it's the one delivering the result to your client.
     

Share This Page