RT-N66U - Merlin 380.70 - DNSSEC Resolve issues -> Fixed in later versions?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.


New Around Here
My question is specific in that I'm still using the last "official" 2018 pre-fork build of Merlin for the RT-N66U.

So far, it's been fairly stable; though the initial build scared the crap out of me thinking I had bricked it... the installation instructions failed to mention all of the details of what it would go through moving from Asus to Merlin; but that aside, almost everything seems to be fairly decent, though my WAN bandwidth dropped by about 10% moving to Merlin with what appears to be the same settings.

The one issue I do have is with enabling DNSSEC. When I enable it, half of the domains become unreachable. There's not rhyme or reason to it, the domains themselves all checkout fine in terms of DNSSEC Compliance (one of the sites in question being the sources of the Merlin packages). When I ping a site that won't load in my browser, I get an error like this:
asuswrt-merlin.net: Temporary failure in name resolution
. There's no real logic to what will or won't load. My WAN DNS is pointed to cloudflare ( and which are DNSSEC Compliant. My LAN IP is all defaults. My LAN Computers are all using DHCP IPv4 Only. IPv6 disabled.

My LAN Properties are as simple as it gets. Ignore the variable because that is standard on all Linux builds in case the NIC can't find the DHCP Server, it would default to that address.

The Router is acting as the LAN DNS Server.

GENERAL.DEVICE:                         enp3s0f1
GENERAL.TYPE:                           ethernet
GENERAL.HWADDR:                         AE:1E:84:A8:92:3D
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected)
GENERAL.CONNECTION:                     Wired connection 1
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/25
IP4.ROUTE[1]:                           dst =, nh =, mt = 100
IP4.ROUTE[2]:                           dst =, nh =, mt = 100
IP4.ROUTE[3]:                           dst =, nh =, mt = 1000

Nothing in terms of "features" is really enabled on the router... In fact I turned off 2.4 Wireless just because I don't have anything that would use it.. so why bother leaving it on and generating heat? Everything else for the most part (QOS, Apps, etc...) is all disabled.
The only thing I have turned on is the Firewall, DDoS protection, ICMP Echo = off, NAT Loopback = Merlin.

Anyway... Everything works fine if I disable DNSSEC. I turn that on and things go screwy.

My question is... was this "kind of broken" in my version of Merlin and/or has this feature been "fixed" in a later (or the latest) "John" fork?

I'd like to get that one feature up and running; but I would probably resist updating the firmware if it's all still the same.

Comments encouraged.


  • Screenshot from 2020-12-01 13-33-29.png
    Screenshot from 2020-12-01 13-33-29.png
    56.9 KB · Views: 69
  • Screenshot from 2020-12-01 13-34-19.png
    Screenshot from 2020-12-01 13-34-19.png
    412.2 KB · Views: 66


Part of the Furniture
Most likely it is the keys that DNSSEC uses. DNSSEC for your router was enabled in the 24DEC15 release of 380.57. From a prior discussion with Merlin I know he hard codes the keys in the firmware. The keys changed 11OCT17. I looked in the change log for 380.69.2 and did not see that the keys were updated. You might try this firmware on the outside chance the keys were fixed.
I'm sure you could use a post config file to over-ride the hard coded keys but it may be better for you to move to the Fork 374 LTS
The good news is your router is still supported there and you can get DoT function with DNSSEC!
Last edited:


New Around Here
As I'm using 380.70, I would assume (maybe my first mistake) that any changes implemented in Merlin's earlier 380.69.x series would have been brought forward... (Would that be a dumb assumption?)

I'm in that phase right now of trying to figure out the various differences between builds... I get the feeling that I'm missing some significant issue given John's fork of Merlin's build starts at 370... and I think version wise he's at 374 taking over where Merlin left off; but some how I'm already up in the 380 and that is a couple of years earlier.

Others are trying to get me to update my CFE to and go join the DD-WRT fat or Tomato clubs, though for the life of me, I can't figure out why.... I took down my Pi-Hole while I do all playing around and I'm missing it already.

Sadly, I have two bricks from power surges... one being a (now cheap) RT-N66R (it flashes power and that's it) an RT-AC87R (that lights up strangely every time I hit the power button; but from all outward appearances is a brick because most of the time, the only light that stays on is WPS... which is weird because I never used WPS. An expensive write off.

The nice thing about updating to Merlin was I was at least able to telnet in to look at my version...
ASUSWRT-Merlin RT-N66U 380.70-0 Sun Apr  8 18:03:20 UTC 2018
[email protected]:/tmp/home/root# nvram get bl_version

Being at CFE bootloader, I'm also wondering if I should be updating that as well. (Sigh...)

When you say:
You might try this firmware on the outside chance the keys were fixed.

Did you mean down to 380.69.2 or Fork 374.43_2?

I'm going to start trying to read more about Fork 374.43_2 and also whether or not my version of bootloader will make a difference. I'm thinking to exploit the larger NVRAM allocation, I should have updated (probably before the Merlin for that matter)... Alas... Here I am.. wondering if I should just plug my CradlePoint IBR back in..... While I still have my sanity.

The things I'll do to try to get DNSSEC working on an Asus.... What's wrong with me?

Oh.. One other question since it came up and has my curiosity up. Someone suggested that I jam a MicroSD inside for some added features like Samba (I'm getting other ideas besides shares). I haven't peeled one apart in a while and didn't even realize they had the slot. My only question is, does anyone know what type and suggested size? Is this an SDHC only (32GB maximum, older style) scenario or can I jam in an SDXC card in and go higher? And does anyone know what it should be formatted to? I'm assuming it will need to be ext2 or 3. If of course it limits us to only using an SDHC, maybe even fat32.

Of course none of that is as important as DNSSEC to me... I have so many shares and hosts on this LAN, it's embarrassing.

Thanks for the help!


New Around Here
Winner Winner Chicken dinner.
You know I searched and searched these forums and I didn't see that one. Good catch my friend!

(One of the disadvange of not running phpBB forums software I guess).

I had an epic fail about 5 times as I read it as "dnsmasq.conf" add file instead of "dnsmasq.conf.add" file... but someone was kind enough to clarify my mistake.
Once I added that alteration, I could reach all of those sites and ping all of those addresses I coudn't before.

Thanks for the help.

On a side note...
The DD-WRT installation and wikis for the RT-N66U are enough to scare anyone off ever loading any of it. What really bothered me was all the conflicting information... "Do this" only to scroll down to read, "God, whatever you do, don't do what we just told you to do above". Rummaging around for 374 felt a tad the same with guidance on finding it; but then browsing and not being able to find it... I started with the latest folders and starting moving backwards... gave up after about browsing about 40 dates (found the RT-AC66U in all of them; but never the RT-N66U)... I found it great they had a new forum post dated November; but was saddened that there wasn't a simple link in it to the actual destination of the build in question (not the beta.. the LTS)... (again.. something else I like about phpBB being able to link directly and modify those posts if the destination data changes).

Anyway.. this should keep me busy for a while.... I need to go back and recreate all my MAC assignments and put all of my tweaks back in. I'll try to read more about the different Merlin/John version... most likely not for this RT-N66U but for the RT-AC87U. that I got it somewhat unbricked by using my raspberry today with a 3-pin serial cable; but now that I boots it still seems pretty well toasted. I finally managed to get it to light up the power light and then boot to where I could at least update it to latest Asus firmware; but that didn't help it at all either. All of the Ethernet ports (even the WAN port) seem fried. Ethernet 1 flashes; but I can't get a session with it (static for like Recovery Console with a .10 address or DHCP either) I can't even get the 5GHz Wireless to light up or to enable.. it's a 2.4GHz box that can't do much but go to the Admin screens at this point. Whenever I go to Wireless screen, I loose half the administration screen and it won't update what is visible and hard resets don't help either, I just end up starting over so I'm not sure a firmware update will help... but I might try if I find the right flavor.

Again.. Thanks for your help!
I'm grateful to have DNSSEC up and running without having to use a Cradlepoint to do it.

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!