What's new

[Experimental] Asuswrt-Merlin 384.13 test - AiMesh/DNSSEC through OpenSSL

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
Fresh builds have been generated, they should be published to Onedrive in the coming minutes.
Just flashed the second alpha 1 and so far so good, none of the other issues! Thanks Eric once again!
 
Last edited:
With DNSSEC enabled, I still can’t get to this site with the new 384.13 Alpha1.

sa.gov.au

Disable DNSSEC, & no problem getting to it.

My ‘root canary’ test is improved, but not as good as the one in post #1.
(I’m using Cloudflare).



Otherwise, all seems fine.
 
Last edited:
With DNSSEC enabled, I still can’t get to this site with the new 384.13 Alpha1.

sa.gov.au

Disable DNSSEC, & no problem getting to it.

My ‘root canary’ test is improved, but not as good as the one in post #1.
(I’m using Cloudflare).


Otherwise, all seems fine.
Same here. My test is improved but not as good as the one shown in the first post. I am unable to resolve that address as well.
 
Same here. My test is improved but not as good as the one shown in the first post. I am unable to resolve that address as well.
Me too... tried different DNS servers (SecureDNS, sinodun, Cloudflare which returns servfail on ED448, quad9 , Google DNS seems to be a bit different ) .I did Flush dns+release+renew each test and tried different web browsers using in-priavte tab\windows,,,

The best result I get with sinodun (dnsovertls3) :
cPxlzg2.png
 
Last edited:
upload_2019-7-9_20-42-0.png

cloudflare without DoT


here are logs from responses

Code:
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d1a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d1a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d1a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d1a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d1a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d1a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d4a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d1a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d1a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d2a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d2a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:18 dnsmasq[28532]: Insecure DS reply received for d2a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:18 dnsmasq[28532]: Insecure DS reply received for d2a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:18 dnsmasq[28532]: Insecure DS reply received for
384.13_alpha1-g221a3ad058 firmware @ rt-ac5300
 
Last edited:
RT-AX88U DoT on cloudflare

Firmware Version
384.13_alpha1-ge00029ce9a
DHCP static lists working fine
Not tested aimesh

RAM
Used 655MB Free 369MB Total 1024MB 64%


lPA1szj.png
 
Last edited:
Well the one good thing is consistent results, I tested cloudflare with DoT and without DoT, and it produces the same results (cleaned cache and all).

Test being conducted from RT-AC5300 and RT-AC68U
 
RMerlin, testing with main router (RT-AC86U) and 3 nodes (RT-AC68R and 2 RT-AC68U) all running with latest stock FW with no issues so far. The DHCP static lists looks good. We'll continue to monitor.

I'm currently not using DoT but my test it just to see what it can do...
 
Well the one good thing is consistent results, I tested cloudflare with DoT and without DoT, and it produces the same results (cleaned cache and all).

Test being conducted from RT-AC5300 and RT-AC68U
I think what you're seeing is the result of using cloudflare's resolver which validates DNSSEC on its own. I'm seeing the same thing. I can turnoff DNSSEC from the GUI and the results are the same.
 
I think what you're seeing is the result of using cloudflare's resolver which validates DNSSEC on its own. I'm seeing the same thing.
these results are from having built dnssec validation turned on in conjunction with the use of these servers.
My ISP also validates DNSSEC upstream and with dnssec validation turned on I get better results using them.
 
Without DoT and using Comcast DNS and with DNSSEC enabled:
upload_2019-7-9_20-55-13.png
 
Sweet we shall give it a go.

I am likely one download from making my home self aware and dooming humity but for now lets enjoy )

AC86U no major issues to report so far.
 
I cannot get my AC68U to mesh with the AX88U. I tried at least 6 times and every time it will find the AC68U and try to make it a node but after the counter gets to 100, it says it can't do it at this time. The AC68U reboots 3 times during the procedure and ends up back at square 1.
I don't know what else to try. I had to put it back into repeater mode.
It did this same thing before when in another post a month or so back, a guy showed how to make the AImesh work with Merlin. Couldn't get it to work until I put official firmware on the AX88U.
 
I cannot get my AC68U to mesh with the AX88U. I tried at least 6 times and every time it will find the AC68U and try to make it a node but after the counter gets to 100, it says it can't do it at this time. The AC68U reboots 3 times during the procedure and ends up back at square 1.
I don't know what else to try. I had to put it back into repeater mode.
It did this same thing before when in another post a month or so back, a guy showed how to make the AImesh work with Merlin. Couldn't get it to work until I put official firmware on the AX88U.

Do you have any unusual configuration? I discovered the dnsmasq crash issues last night as my RT-AC88U was no longer able to add any nodes for instance, so it seems like a lot of things can interfere with AiMesh.

Also during the pairing, make sure the node is brought closer to the router (Asus mentions it should be within 3 meters).
 
Can any of the AiMesh testers try the firmware downgrade and upgrade capabilities of their nodes? Try flashing back the previous firmware, then test the Check button, as well as the link displaying release notes.

Regarding DNSSEC, this is similar to the odd behaviour I mentionned in the first post. In my case, DSA validation seem to be handled by my ISP's servers, so I get successful validation even tho DSA validation is currently disabled in dnsmasq. We'll see if @themiron can track anything there.
 
Status
Not open for further replies.

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top