Menu
What's new
By:
Filters Better Search

[380 legacy] DNSSEC no longer compatible with 380.70

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

RMerlin

RMerlin

Asuswrt-Merlin dev
Staff member
Root nameservers switched to a newer signature key. 380.70 only contains the old signature. People still running that older firmware and using DNSSEC will have to enable custom script support (Administration -> System), and create a /jffs/configs/dnsmasq.conf.add file, with the following content:

Code: 
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

384.7 users are not affected, as this firmware already contains both keys.
 
Once I make this change, what test can I perform to verify that this fix is working?
 
That's not very helpful. I tried several of the checkers and get what looks like mixed results, so I cannot tell if it is really working. But thanks for your response anyway.

Thank you.
 
Thanks, that is helpful. But sadly it tells me that my DNS resolver does NOT validate DNSSEC signatures. But I have DNSSEC support enabled, and I added the file with the above info (at least I think I did). I'm using PIA VPN with the DNS Configuration set to Strict. What have I setup incorrectly?
 
I figured it out. I was using OpenDNS, which does not support DNSSEC. I think PIA also uses OpenDNS. When I changed my DNSs to Google and others, all is now OK.
 
Just to be clear... because I didn't see anything about creating the file or getting it in there in your instructions so....Yeah.. the first time I did this, my router went zonkers and locked me out. Couldn't even get in on a hard line.

Had to do a VRAM reset and of course lost all of my settings.. so here we are clean again.

And that's when I learned what it is doing.

This solution is untennable. Or at least not very realistic... at least for me. Using internal jffs is fine, until you reboot. Then it gets wiped, and does a hard reset to defaults.

Anyway... after settings up my Wireless names and admin password... for the 3rd or 4th time, I figured out what is going on...

Correct me if I'm doing something wrong here.... PLEASE.. God... I hope I'm doing something wrong here.

Administration -> System -> Enable jffs
Scroll down, "Enable Telnet"
Apply

Then telnet to 192.168.1.1 and use Admin account and password just set to login.

Then
Code: 
cd /jffs/configs
Then
Code: 
vi dnsmasq.conf
Then paste in the above statement.
Then save by hitting "ESC" and then typing ":w" (without the quotes)
Then quit by hitting "ESC" and then typing ":x" (without the quotes)
Then back at telnet prompt, type "cat dnsmasq.conf" (without the quotes) ... Just for good measure to make sure it's correct.
Then at the prompt type "exit" (without the quotes) to close the telnet session.

Meanwhile, back on a your computer, you can no ping those addresses that woudn't ping with DNSSEC enabled before (like asuswrt-merlin.net) and they return IP Addresses...Great...

Then everything is "hunkydory" in terms of the pinging and navigating.

And then you reboot.. and lose everything including any custom settings and yes.. even that file you just wrote.

Sigh...

I realize this isn't going to come off well; but this whole jffs non-solution seems pretty weak for a one line bug fix. I mean.. if there were ever a reason to put out ONE MORE UPDATE to a firmware.. this is it.

In the meantime... I hope someone will tell me that I'm doing something completely wrong.. because I've tried about 4 different ways to do this and it all ends with tears the minute I need to reboot this router.
 
64bitguy said:
In the meantime... I hope someone will tell me that I'm doing something completely wrong.. because I've tried about 4 different ways to do this and it all ends with tears the minute I need to reboot this router.
Click to expand...
You must create dnsmasq.conf.add not dnsmasq.conf. The contents of .add get appended to the main dnsmasq.conf. When you create dnsmasq.conf, it fully replaces the firmware-generated config, so yes it would go nuts.
 
dave14305 said:
You must create dnsmasq.conf.add not dnsmasq.conf. The contents of .add get appended to the main dnsmasq.conf. When you create dnsmasq.conf, it fully replaces the firmware-generated config, so yes it would go nuts.
Click to expand...


LOL...

Goodness gracious.. I read that 5 times as "add file" .. sheesh.. I'm old.

Yeah... that was the answer!

All of my procedures worked the same (but now with the correct filename of "dnsmasq.conf.add" and I was able to reboot without the router hard resetting itself...

The only question remaining is.. do I need to leave jffs enabled forever for that to get added at every reboot? Or can I disable now that this is done? Sadly, I'm assuming I won't be able to shut jffs down.
 
64bitguy said:
The only question remaining is.. do I need to leave jffs enabled forever for that to get added at every reboot? Or can I disable now that this is done? Sadly, I'm assuming I won't be able to shut jffs down.
Click to expand...
Yes you need to leave it enabled forever, so that the firmware will know to read that custom config file every time dnsmasq restarts. If that's the only file though, there's little risk of things going crazy in the future.

It really would be better to switch to John's LTS fork. It's still actively developed and current, even though the baseline is an older 374 version, most components are upgraded as new as possible. Wireless drivers haven't changed in a long time, so it's really just features and most importantly, security updates you'll get on the LTS fork. Then this dnsmasq.conf.add hack won't be necessary. :)
 
64bitguy said:
vi dnsmasq.conf
Click to expand...

Very tiny suggestion to use nano for newbies. :) It's a much simpler editor and the commands are right there on the bottom (CTRL-X to save&exit). I use vi, myself, but if you're not familiar with or literate on Unix platforms, nano (formerly pico) is the way to go:
Code: 
nano dnsmasq.conf
 
You must log in or register to reply here.

Similar threads

saison2023
Any way to diagnose further these dnsmasq restart events?
Replies
5
Views
750
saison2023
saison2023
garycnew
Tutorial [SOLUTION] Asuswrt-Merlin DropBear SSH-Key Based Auth To/From AiMesh Nodes & Workstations Tutorial
Replies
0
Views
6K
garycnew
garycnew
RMerlin
  • Locked
Beta Asuswrt-Merlin 386.1 Beta is now available
76 77 78
Replies
2K
Views
434K
RMerlin
RMerlin
RMerlin
[Beta 380/Legacy] Asuswrt-Merlin 380.70 Beta is available
2
Replies
27
Views
9K
RMerlin
RMerlin
RMerlin
[Release 380/Legacy] Asuswrt-Merlin 380.70 is now available
2
Replies
38
Views
33K
RMerlin
RMerlin
Similar threads
Thread starter Title Forum Replies Date
RMerlin CVE 2023-50868 and CVE 2023-50387 in dnsmasq when DNSSEC is enabled Asuswrt-Merlin 30

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 931 (members: 29, guests: 902)
Top