Enable DNSSEC support question

[Veldkornet]

I'm currently having a problem where I can't reach any DNSSEC enabled sites.... Disabling DNSSEC lets me access the domains again.

Currently on 380.62_1.

For example, doing a dig using my two resolvers manually works fine:

dig internet.nl +dnssec +multi +short @95.85.9.86

185.49.141.28

A 7 2 3600 20161013033608 20160922044936 28409 internet.nl. eptGraOJ6tTrYncrlecCaUjulDlgJ9FMp/qUZb6vYH9toBvDYt5DX+Do 7J9tAf4ydkf9Iq514ktyANVm/OGhphMMJuG30aO3p3dtEvhtb0k+Ud6U OqsUvEGOKb18g4ucmnM7+lJHDhdgQEkPa/Q5e/Rn0pUUKT+KxK4ksCMK FT8=

dig internet.nl +dnssec +multi +short @185.83.217.248

185.49.141.28

A 7 2 3600 20161013033608 20160922044936 28409 internet.nl. eptGraOJ6tTrYncrlecCaUjulDlgJ9FMp/qUZb6vYH9toBvDYt5DX+Do 7J9tAf4ydkf9Iq514ktyANVm/OGhphMMJuG30aO3p3dtEvhtb0k+Ud6U OqsUvEGOKb18g4ucmnM7+lJHDhdgQEkPa/Q5e/Rn0pUUKT+KxK4ksCMK FT8=

However, when I use the router as the resolver, it just fails...

dig internet.nl +dnssec +multi +short @192.168.1.1

;; Truncated, retrying in TCP mode.

Looks like the response from my router is too big when there is DNSSEC enabled.

If I use my router when I dig a non-DNSSEC domain, it also works fine.
So it's just with the DNSSEC domains


Sent from my iPhone using Tapatalk

 

[RMerlin]

Truncated replies is perfectly normal with DNSSEC, these replies are often too large to fit in an UDP packet.

Make sure your upstream nameservers do support DNSSEC, and that your router's clock is accurate.

 

[Veldkornet]

Well the DNS resolvers are supposed to support it... how can I confirm though?

I'm using:
ns1.nl.dns.d0wn.biz 95.85.9.86 2a03:b0c0:0:1010::62:f001
ns2.nl.dns.d0wn.biz 185.83.217.248 2a02:2ca0:64:22::2


And my router clock is supposed to be super accurate now, apparently because I'm using this -> https://github.com/kvic-z/goodies-asuswrt/wiki/Install-NTP-Daemon-for-Asuswrt-Merlin


Sent from my iPhone using Tapatalk

 

[RMerlin]

I don't think that server supports DNSSEC. The "ad" flag (for Authenticated answer) is missing when querying for a DNSSEC-enabled domain:

merlin@ubuntu-dev:~$ dig pir.org +dnssec +multi @95.85.9.86

; <<>> DiG 9.10.3-P4-Ubuntu <<>> pir.org +dnssec +multi @95.85.9.86
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30056
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pir.org.        IN A

;; ANSWER SECTION:
pir.org.        300 IN A 97.107.141.235
pir.org.        300 IN RRSIG A 5 2 300 (
                20161016084000 20161002084000 19094 pir.org.
                KAdeaOBCKHL3AXEpDqvc5Snvta9ljpnACpb2acGnFeA0
                mu1YZ0RrjETMgAXroHLWfg6ranTxmfhgG7N/g2Tvj2v4
                L5uo+8tIChQoR2u26NdPBPPqJy/ks04FDCfSk6znMmOU
                feiYbQoU/puc4kI1kVzwhG9gXrUQ+QbFEJu3zR8= )

;; Query time: 100 msec
;; SERVER: 95.85.9.86#53(95.85.9.86)
;; WHEN: Sun Oct 02 19:34:14 EDT 2016
;; MSG SIZE  rcvd: 219

Querying the same domain from 8.8.8.8 properly has the ad flag set.

 

[Veldkornet]

I don't think that server supports DNSSEC. The "ad" flag (for Authenticated answer) is missing when querying for a DNSSEC-enabled domain:

merlin@ubuntu-dev:~$ dig pir.org +dnssec +multi @95.85.9.86

; <<>> DiG 9.10.3-P4-Ubuntu <<>> pir.org +dnssec +multi @95.85.9.86
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30056
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pir.org.        IN A

;; ANSWER SECTION:
pir.org.        300 IN A 97.107.141.235
pir.org.        300 IN RRSIG A 5 2 300 (
                20161016084000 20161002084000 19094 pir.org.
                KAdeaOBCKHL3AXEpDqvc5Snvta9ljpnACpb2acGnFeA0
                mu1YZ0RrjETMgAXroHLWfg6ranTxmfhgG7N/g2Tvj2v4
                L5uo+8tIChQoR2u26NdPBPPqJy/ks04FDCfSk6znMmOU
                feiYbQoU/puc4kI1kVzwhG9gXrUQ+QbFEJu3zR8= )

;; Query time: 100 msec
;; SERVER: 95.85.9.86#53(95.85.9.86)
;; WHEN: Sun Oct 02 19:34:14 EDT 2016
;; MSG SIZE  rcvd: 219

Querying the same domain from 8.8.8.8 properly has the ad flag set.

Aha, thanks! At least I know it's not me I'll let the provider know so that they can work on it.


Sent from my iPhone using Tapatalk

 

[Veldkornet]

@RMerlin, could you add the OpenNIC trust anchor as well? I've added it myself for the moment, but ideally it would be nice if it was added with the one from IANA.

I believe it's

trust-anchor=.,7372,8,2,14a2b8caf58bfaae0bd7c257488a341fcc542f9f88f0b678d620324ce7b55285

Sent from my iPhone using Tapatalk

 

[RMerlin]

@RMerlin, could you add the OpenNIC trust anchor as well? I've added it myself for the moment, but ideally it would be nice if it was added with the one from IANA.

I believe it's

trust-anchor=.,7372,8,2,14a2b8caf58bfaae0bd7c257488a341fcc542f9f88f0b678d620324ce7b55285

As far as I can tell, you can have only one root trust anchor in dnsmasq. I haven't seen a single reference to dnsmasq handling multiple root anchors.

The OpenNIC anchor would only work if using OpenNIC's own resolvers. In that case, you are looking at a very specific custom configuration, something that is best handled by a postconf script since the trust anchor to use depends on which resolver you use.

 

[Azuse]

Old thread I know, however I'm experiencing the aforementioned issue of dnssec reportedly being enable through multiple test sites, yet having never enabled it in router settings on the current 380.65_2 firmware i.e. dns is set to router ip, dnssec is turned off on router, websites report dnssec in use.

Resolvers are dns.watch in case it's relevant.

 

[paulbates]

Another helpful site is http://dnsviz.net

It provides a visual representation of where DNSSec is (or is not) active

Paul

 

[reerden]

Old thread I know, however I'm experiencing the aforementioned issue of dnssec reportedly being enable through multiple test sites, yet having never enabled it in router settings on the current 380.65_2 firmware i.e. dns is set to router ip, dnssec is turned off on router, websites report dnssec in use.

Resolvers are dns.watch in case it's relevant.

Those test sites report if your upstream server has DNSSEC enabled and thus refuses to resolve domains with invalid DNSSEC signatures. What DNSSEC in Merlin does is securing the so called 'last mile'. In other words, the DNS request between your router and the upstream server by checking the signature again on the router.

Usually, DNSSEC signatures aren't checked by the client. So the signature is never checked locally on your PC or your router, only by the upstream DNS server you configured. In theory this means someone could potentially manipulate the DNS response between the DNS server and your router. Enabling DNSSEC on Merlin means your router now rechecks the signature before resolving it for your PC.

So if your configured DNS server supports DNSSEC, it's a good idea to enable it on your own router too.

 

[hobgoblin]

Those test sites report if your upstream server has

So if your configured DNS server supports DNSSEC, it's a good idea to enable it on your own router too.

Please, could you tell me how can I do so (enabling/disabling dnssec on asus ac56u), I googled it but I didn't find any how-to

 

[Makaveli]

Under Advanced Settings - Lan - DHCP Server

 

[hobgoblin]

Thank you Makaveli, I did'nt notice it

 

[Luboknok]

Does DNSSEC work while DNSCRYPT is running on Merlin? I understand OPENDNS doesn't support DNSSEC but what about the other servers?

 

[pattiri]

Does DNSSEC work while DNSCRYPT is running on Merlin? I understand OPENDNS doesn't support DNSSEC but what about the other servers?

Yes it does but you need to use/find a server which supports DNSSEC. In my opinion only DNSCRYPT is enough

 

[Makaveli]

Does DNSSEC work while DNSCRYPT is running on Merlin? I understand OPENDNS doesn't support DNSSEC but what about the other servers?

I use Google's DNS server which supports DNSSEC