1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Stubby-Installer-Asuswrt-Merlin

Discussion in 'Asuswrt-Merlin' started by Xentrk, Oct 22, 2018.

  1. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    1,679
    Location:
    The Land of Smiles
    Stubby is an application that acts as a local DNS Privacy stub resolver using DNS-over-TLS. Stubby encrypts DNS queries sent from a client machine to a DNS Privacy resolver increasing end user privacy.

    Since Stubby is in the early stages of development, it may not be suitable for non-technical users. To assist users to implement Stubby, I wrote a Stubby installer script to make the process easier.

    The install script defaults to Cloudflare (1.1.1.1) DNS-over-TLS on port 853. You can change to other supported public or test resolvers by updating the Stubby configuration file located in /opt/etc/stubby/stubby.yml.

    All Asus models supported by Asuswrt-Merlin, with the exception of the AC86U, should be supported by this script. To date, I have received confirmation that it works on the following models:
    • RT-AC66U_B1
    • RT-AC68U
    • RT-AC87U
    • RT-AC88U
    • RT-AC3100
    For information on Stubby, including how to install and validate, visit the Stubby-Installer-Asuswrt-Merlin GitHub Repository.

    For information on how the settings were derived at, see my blog post DNS over TLS with DNSMASQ and Stubby on Asuswrt-Merlin.

    Installation
    Using your preferred SSH client/terminal, copy and paste the following command, then press Enter:

    Code:
    /usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/Stubby-Installer-Asuswrt-Merlin/master/install_stubby.sh" -o "/jffs/scripts/install_stubby.sh" && chmod 755 /jffs/scripts/install_stubby.sh && sh /jffs/scripts/install_stubby.sh
    Then, select the install option from the menu.
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. M@rco

    [email protected] Very Senior Member

    Joined:
    Dec 23, 2017
    Messages:
    701
    Location:
    /opt
    Thanks for your efforts @Xentrk and for the opportunity to test the installer over the last weeks. Stubby has been running great on my RT-AC68U for days now!
     
    Xentrk likes this.
  4. DonnyJohnny

    DonnyJohnny Very Senior Member

    Joined:
    Dec 17, 2017
    Messages:
    639
    Haven’t test the installer.

    Just checking.
    Does Cloudflare help page ok with dnssec validation enabled via stubby?

    It works if I enable dnssec validation via firmware with check unsigned off.
     
  5. M@rco

    [email protected] Very Senior Member

    Joined:
    Dec 23, 2017
    Messages:
    701
    Location:
    /opt
    The installer script disables the DNSSEC firmware setting and it should remain off. That way DNSSEC tests will succeed. If manually enabled in the UI, it will cause trouble as your tests will fail. See the Github page for more info: https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin#dnssec
     
  6. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    1,679
    Location:
    The Land of Smiles
    I was wondering when that question was going to come up :) DNSSEC is not enabled on the Cloudflare test page. Here is my journey regarding Stubby + DNSSEC:

    I am still troubled that I have no root anchor files appearing in the appdata_dir. Yet, the DNSSEC test sites all work. I saw several posts on other forums were others reported the same behavior.

    This Firefox add-on will add an indicator on the browser to let you know if the site you are visiting supports DNSSEC.
    https://addons.mozilla.org/en-US/firefox/addon/dnssec/
     
  7. DonnyJohnny

    DonnyJohnny Very Senior Member

    Joined:
    Dec 17, 2017
    Messages:
    639
    Understand and the dnssec validation on firmware already been turn off before I enable it via stubby.
    So question is how is it different from turning off via webgui vs disable via the installer script.

    I added the following to enable dnssec via stubby.yml
    dnssec_return_status: GETDNS_EXTENSION_TRUE

    So did u get the AD flag when u use the following command?
    dig pir.org +dnssec +multi

    Link on how to test if dnssec is working
    https://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation
     
  8. DonnyJohnny

    DonnyJohnny Very Senior Member

    Joined:
    Dec 17, 2017
    Messages:
    639
    The root anchor file will be loaded automatically when U load the dnssec validation via stubby. I check the appdata_dir before I enable dnssec validation and yes it is empty. Once I load up the dnssec validation via stubby, the files are there. As this are just temporary folder and it will be cleared once router restart unless stubby with dnssec validation load them back.

    Question here is the dnssec validation via stubby (cloudflare) seems not working not only in the cloudflare help page. When i use the dig command to check for AD flag. It is not present too.
     
  9. M@rco

    [email protected] Very Senior Member

    Joined:
    Dec 23, 2017
    Messages:
    701
    Location:
    /opt
    DNSSEC validation works for me:

    Code:
    # dig asuswrt.lostrealm.ca @1.1.1.1 +dnssec +multi
    
    ; <<>> DiG 9.11.3 <<>> asuswrt.lostrealm.ca @1.1.1.1 +dnssec +multi
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48040
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 1452
    ;; QUESTION SECTION:
    ;asuswrt.lostrealm.ca.  IN A
    
    ;; ANSWER SECTION:
    asuswrt.lostrealm.ca.   71 IN A 72.55.186.51
    asuswrt.lostrealm.ca.   71 IN RRSIG A 13 3 300 (
                                    20181023100445 20181021080445 35273 lostrealm.ca                                                                                                             .
                                    JK2E4hS9CFtgV7osOXDMlxzkBKX/BQY7ih116SXlGhaN
                                    Mb5YNE0xpELApdWHMKlRIYi+ZMsUCBQ92MebyzO2OQ== )
    
    ;; Query time: 12 msec
    ;; SERVER: 1.1.1.1#53(1.1.1.1)
    ;; WHEN: Mon Oct 22 09:08:34 UTC 2018
    ;; MSG SIZE  rcvd: 173
    
     
  10. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    1,679
    Location:
    The Land of Smiles
    When I add the parameter dnssec_return_status: GETDNS_EXTENSION_TRUE, all of the DNSSEC tests fail. Perhaps you can post your stubby.yml? I have been trying to recreate the scenario when I saw root anchor files in the appdata_dir with no luck. Luckily, I saved a backup to prove I had them at one time.

    Perhaps this parameter was required in an earlier version of getdns that required the use of Unbound to specify the root anchors. Just a theory.

    Code:
     #drill -D asuswrt.lostrealm.ca @1.1.1.1
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 53236
    ;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; asuswrt.lostrealm.ca.        IN      A
    
    ;; ANSWER SECTION:
    asuswrt.lostrealm.ca.   300     IN      A       72.55.186.51
    asuswrt.lostrealm.ca.   300     IN      RRSIG   A 13 3 300 20181023100206 20181021080206 35273 lostrealm.ca. Vyo6xNB3ViMZhv/VhBURt6UaHdA5jfAH4VSzDB7bWITYbZVl6+5vzQUxPvSTa783WNE2WWPJ8rP1L0Ox4e7x9g==
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 17 msec
    ;; EDNS: version 0; flags: do ; udp: 4096
    ;; SERVER: 1.1.1.1
    ;; WHEN: Mon Oct 22 09:02:06 2018
    ;; MSG SIZE  rcvd: 173
    
     
  11. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    1,679
    Location:
    The Land of Smiles
    I use a nvram set command to turn off DNSSEC on the firmware:
    Code:
    # Turn off DNSSEC setting in firmware
    nvram set dnssec_enable="0"
    nvram commit
     
  12. DonnyJohnny

    DonnyJohnny Very Senior Member

    Joined:
    Dec 17, 2017
    Messages:
    639
    That’s the problem. When u go directly via cloudflare, yes dnssec works. But not via stubby with dnssec validation enabled.

    Don’t think we have difference in the yml
    https://pastebin.com/raw/0T7GP7mS
     
  13. DonnyJohnny

    DonnyJohnny Very Senior Member

    Joined:
    Dec 17, 2017
    Messages:
    639
    Not think there make the difference.
    So just to confirm if u get AD flag when using stubby dnssec validation enable?
     
  14. DonnyJohnny

    DonnyJohnny Very Senior Member

    Joined:
    Dec 17, 2017
    Messages:
    639
    Wrong test as u are not testing via stubby but via cf dns via port 53.

    Try changing the @1.1.1.1 to @127.0.0.1 (assuming u using stubby/dnscrypt-proxy)
     
  15. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    1,679
    Location:
    The Land of Smiles
    Yep, when I use the 127.0.0.1 there is no AD flag.

    Code:
    drill -D asuswrt.lostrealm.ca @127.0.0.1
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 51894
    ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; asuswrt.lostrealm.ca.        IN      A
    
    ;; ANSWER SECTION:
    asuswrt.lostrealm.ca.   300     IN      A       72.55.186.51
    asuswrt.lostrealm.ca.   300     IN      RRSIG   A 13 3 300 20181023100453 20181021080453 35273 lostrealm.ca. 2L9xcKA2PjvntO73GPtdfe05wIebCb1O88+TI038uK6iLji1OcC+q/n6R5gUUTAJQm4j6FuLkYQtFMJTFEqLMA==
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 97 msec
    ;; EDNS: version 0; flags: do ; udp: 1452
    ;; SERVER: 127.0.0.1
    ;; WHEN: Mon Oct 22 09:04:53 2018
    ;; MSG SIZE  rcvd: 213
    
    Give me a few minutes to try your config. Don't see any thing different from what I have tried in the past.
     
  16. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    1,679
    Location:
    The Land of Smiles
    I recognized that config from the other thread. dnssec_return_status: GETDNS_EXTENSION_TRUE is commented out in your stubby.yml!

    Code:
    #dnssec_return_status: GETDNS_EXTENSION_TRUE
    When I enable in stubby.yml, http://dnssec.vs.uni-due.de/ returns
    upload_2018-10-22_16-39-53.png

    The stubby devs told me not to use the SPKI in the stubby.yml file:
     

    Attached Files:

  17. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    1,679
    Location:
    The Land of Smiles
    @DonnyJohnny.....BTW, thanks for posting the solution of using the LAN IP address for DNS1. I first used 127.0.0.1 but this prevents users from applying changes to the WAN gui page. I nicknamed the use of the LAN IP address for DNS1 "the DonnyJohnny method"! :D
     
  18. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    1,679
    Location:
    The Land of Smiles
    I ran the drill again using TD.
    Code:
    drill -TD asuswrt.lostrealm.ca @127.0.0.1
    Warning: No trusted keys were given. Will not be able to verify authenticity!
    ;; Domain: .
    ;; Signature ok but no chain to a trusted key or ds record
    [S] . 172800 IN DNSKEY 256 3 8 ;{id = 2134 (zsk), size = 2048b}
    . 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
    . 172800 IN DNSKEY 257 3 8 ;{id = 20326 (ksk), size = 2048b}
    Checking if signing key is trusted:
    New key: .      172800  IN      DNSKEY  256 3 8 AwEAAdp440E6Mz7c+Vl4sPd0lTv2Qnc85dTW64j0RDD7sS/zwxWDJ3QRES2VKDO0OXLMqVJSs2YCCSDKuZXpDPuf++YfAu0j7lzYYdWTGwyNZhEaXtMQJIKYB96pW6cRkiG2Dn8S2vvo/PxW9PKQsyLbtd8PcwWglHgReBVp7kEv/Dd+3b3YMukt4jnWgDUddAySg558Zld+c9eGWkgWoOiuhg4rQRkFstMX1pRyOSHcZuH38o1WcsT4y3eT0U/SR6TOSLIB/8Ftirux/h297oS7tCcwSPt0wwry5OFNTlfMo8v7WGurogfk8hPipf7TTKHIi20LWen5RCsvYsQBkYGpF78= ;{id = 2134 (zsk), size = 2048b}
    [S] ca. 86400 IN DS 2134 8 2 4b8475c0c0fe2afdfee1a71a237c91059098d12fc18265b290edb238a5f63582
    ;; Domain: ca.
    ;; Signature ok but no chain to a trusted key or ds record
    [S] ca. 3600 IN DNSKEY 256 3 8 ;{id = 35433 (zsk), size = 1024b}
    ca. 3600 IN DNSKEY 257 3 8 ;{id = 2134 (ksk), size = 2048b}
    ca. 3600 IN DNSKEY 256 3 8 ;{id = 43854 (zsk), size = 1024b}
    Checking if signing key is trusted:
    New key: ca.    3600    IN      DNSKEY  256 3 8 AwEAAdv1tDhjeFHA6WYgNcxHxFLQAegMnIfy4Wo715kdVp2A6E+l/YvxvDq6Bdt8QBqwT0LyQiESwedlM/XN9qGgIWdJGWPzkmFs+qpiHgUGM/vEScUHj5GT4URssB1Vef7HO9Fz4Dysqa7rzVSmbQWpUDacTqd7rppBgZkYU7ltQlPx ;{id = 35433 (zsk), size = 1024b}
    [S] lostrealm.ca. 86400 IN DS 2371 13 2 bb76fdbe44bc95b938f057665d9f94ff72e624078bfa8d067c00ebc6f6e93a42
    ;; Domain: lostrealm.ca.
    [B] lostrealm.ca. 3600 IN DNSKEY 257 3 13 ;{id = 2371 (ksk), size = 0b}
    lostrealm.ca. 3600 IN DNSKEY 256 3 13 ;{id = 35273 (zsk), size = 0b}
    lostrealm.ca. 3600 IN DNSKEY 256 3 13 ;{id = 34505 (zsk), size = 0b}
    [B] Error verifying denial of existence for asuswrt.lostrealm.ca. DS: Unknown cryptographic algorithm
    ;; No ds record for delegation
    ;; Domain: asuswrt.lostrealm.ca.
    ;; No DNSKEY record found for asuswrt.lostrealm.ca.
    [B] asuswrt.lostrealm.ca.       300     IN      A       72.55.186.51
    ;; Error: Unknown cryptographic algorithm
    ;;[S] self sig OK; [B] bogus; [T] trusted
    
    In this command, I specify the root key file that I had saved from earlier testing.
    Code:
    drill -k /opt/var/cache/stubby-bkup/root.key -TD asuswrt.lostrealm.ca @127.0.0.1
    ;; Number of trusted keys: 4
    ;; Domain: .
    [T] . 172800 IN DNSKEY 256 3 8 ;{id = 2134 (zsk), size = 2048b}
    . 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
    . 172800 IN DNSKEY 257 3 8 ;{id = 20326 (ksk), size = 2048b}
    Checking if signing key is trusted:
    New key: .      172800  IN      DNSKEY  256 3 8 AwEAAdp440E6Mz7c+Vl4sPd0lTv2Qnc85dTW64j0RDD7sS/zwxWDJ3QRES2VKDO0OXLMqVJSs2YCCSDKuZXpDPuf++YfAu0j7lzYYdWTGwyNZhEaXtMQJIKYB96pW6cRkiG2Dn8S2vvo/PxW9PKQsyLbtd8PcwWglHgReBVp7kEv/Dd+3b3YMukt4jnWgDUddAySg558Zld+c9eGWkgWoOiuhg4rQRkFstMX1pRyOSHcZuH38o1WcsT4y3eT0U/SR6TOSLIB/8Ftirux/h297oS7tCcwSPt0wwry5OFNTlfMo8v7WGurogfk8hPipf7TTKHIi20LWen5RCsvYsQBkYGpF78= ;{id = 2134 (zsk), size = 2048b}
            Trusted key: .  4521    IN      DNSKEY  256 3 8 AwEAAfaifSqh+9ItxYRCwuiY0FY2NkaEwd/zmyVvakixDgTOkgG/PUzlEauAiKzlxGwezjqbKFPSwrY3qHmbbsSTY6G8hZtna8k26eCwy59Chh573cu8qtBkmUIXMYG3fSdlUReP+uhBWBfKI2aGwhRmQYR0zSmg7PGOde34c/rOItK1ebJhjTAJ6TmnON7qMfk/lKvH4qOvYtzstLhr7Pn9ZOVLx/WUKQpU/nEyFyTduRbz1nZqkp6yMuHwWVsABK8lUYXSaUrDAsuMSldhafmR/A15BxNhv9M7mzJj7UH2RVME9JbYinBEzWwW9GpnY+ZmBWgZiRVTaDuemCTJ5ZJWLRs= ;{id = 41656 (zsk), size = 2048b}
            Trusted key: .  4521    IN      DNSKEY  257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}
            Trusted key: .  4521    IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
    <snip>
    
     
  19. unknownz

    unknownz Occasional Visitor

    Joined:
    Apr 10, 2016
    Messages:
    22
    observations i found during my own setup
    1. CF's help page is useful to check that DoT is setup proper ONLY; this will require DNSSEC to be disabled
    2. when DNSSEC is enabled, CF's help page will return failure for the debug information
    3. for DIG queries to return AD flag proper, the router's DNSSEC must be turned on

    Code:
    [email protected]:/tmp/home/root# dig asuswrt.lostrealm.ca +dnssec +multi
    ; <<>> DiG 9.11.3 <<>> asuswrt.lostrealm.ca +dnssec +multi
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11912
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; QUESTION SECTION:
    ;asuswrt.lostrealm.ca.  IN A
    ;; ANSWER SECTION:
    asuswrt.lostrealm.ca.   291 IN A 72.55.186.51
    asuswrt.lostrealm.ca.   291 IN RRSIG A 13 3 300 (
                                    20181023110229 20181021090229 35273 lostrealm.ca.
                                    IwPylutUIxLDkRNGVEX/+BPPlU2t3XuYsrUo09iI1GRU
                                    /ulTv2i8IXI6YNjv5FjJHzuXsOhffiVRLt/bBadh+A== )
    ;; Query time: 21 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Mon Oct 22 18:02:38 +08 2018
    ;; MSG SIZE  rcvd: 173
    
    Code:
    Oct 22 17:59:48 dnsmasq[30921]: query[A] asuswrt.lostrealm.ca from 127.0.0.1
    Oct 22 17:59:48 dnsmasq[30921]: forwarded asuswrt.lostrealm.ca to 127.0.0.1
    Oct 22 17:59:48 dnsmasq[30921]: validation result is SECURE
    Oct 22 17:59:48 dnsmasq[30921]: reply asuswrt.lostrealm.ca is 72.55.186.51
     
    [email protected] likes this.
  20. M@rco

    [email protected] Very Senior Member

    Joined:
    Dec 23, 2017
    Messages:
    701
    Location:
    /opt
    These iptables to redirect everything to stubby are in place:

    Code:
    # Force Client DNS requests to use Stubby
    iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
    iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
    However, running with @127.0.0.1 indeed fails:

    Code:
    # dig asuswrt.lostrealm.ca @127.0.0.1 +dnssec +multi
    
    ; <<>> DiG 9.11.3 <<>> asuswrt.lostrealm.ca @127.0.0.1 +dnssec +multi
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1950
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 1452
    ;; QUESTION SECTION:
    ;asuswrt.lostrealm.ca.  IN A
    
    ;; ANSWER SECTION:
    asuswrt.lostrealm.ca.   164 IN A 72.55.186.51
    asuswrt.lostrealm.ca.   164 IN RRSIG A 13 3 300 (
                                    20181023110146 20181021090146 35273 lostrealm.ca.
                                    4d0TFNjIqkyCnOIZhc1sis9ElTT50mziKqFKZ1WNa1xm
                                    wpEgJs+BrYltFNVvxWzONpydai5DqbQex758EHPylw== )
    
    ;; Query time: 13 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Mon Oct 22 10:04:02 UTC 2018
    ;; MSG SIZE  rcvd: 213
    
    Do you have a solution @DonnyJohnny?
     
  21. DonnyJohnny

    DonnyJohnny Very Senior Member

    Joined:
    Dec 17, 2017
    Messages:
    639
    Commented out coz I using firmware dnssec validation.

    Regards the spki, I understand and I know it will work without specifying spki. Don’t really understand the need of SPKI but I read in the DOT paper, supposed need to specify SPKI.
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!