[Experimental] Asuswrt-Merlin 384.13 test - AiMesh/DNSSEC through OpenSSL

[karma]

Wifi code is closed source, and will always be 100% identical to stock firmware.

ah ok, good to know, thanks.

Fresh builds have been generated, they should be published to Onedrive in the coming minutes.

Just flashed the latest firmware, everything still ok with AI Mesh.

 

[skeal]

Fresh builds have been generated, they should be published to Onedrive in the coming minutes.

Just flashed the second alpha 1 and so far so good, none of the other issues! Thanks Eric once again!

 

[Treadler]

With DNSSEC enabled, I still can’t get to this site with the new 384.13 Alpha1.

sa.gov.au

Disable DNSSEC, & no problem getting to it.

My ‘root canary’ test is improved, but not as good as the one in post #1.
(I’m using Cloudflare).



Otherwise, all seems fine.

 

[skeal]

With DNSSEC enabled, I still can’t get to this site with the new 384.13 Alpha1.

sa.gov.au

Disable DNSSEC, & no problem getting to it.

My ‘root canary’ test is improved, but not as good as the one in post #1.
(I’m using Cloudflare).


Otherwise, all seems fine.

Same here. My test is improved but not as good as the one shown in the first post. I am unable to resolve that address as well.

 

[Delusion]

Same here. My test is improved but not as good as the one shown in the first post. I am unable to resolve that address as well.

Me too... tried different DNS servers (SecureDNS, sinodun, Cloudflare which returns servfail on ED448, quad9 , Google DNS seems to be a bit different ) .I did Flush dns+release+renew each test and tried different web browsers using in-priavte tab\windows,,,

The best result I get with sinodun (dnsovertls3) :

 

[SomeWhereOverTheRainBow]

this is with my isp without DoT

with DoT on cloudflare, adguard, quad 9 and clean browsing.

 

[SomeWhereOverTheRainBow]

cloudflare without DoT


here are logs from responses

Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d1a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d1a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d1a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d1a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d1a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d1a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d4a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d1a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d1a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d2a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:17 dnsmasq[28532]: Insecure DS reply received for d2a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:18 dnsmasq[28532]: Insecure DS reply received for d2a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:18 dnsmasq[28532]: Insecure DS reply received for d2a16n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
Jul  9 22:15:18 dnsmasq[28532]: Insecure DS reply received for

384.13_alpha1-g221a3ad058 firmware @ rt-ac5300

 

[Martin_D]

RT-AX88U DoT on cloudflare

Firmware Version 384.13_alpha1-ge00029ce9a
DHCP static lists working fine
Not tested aimesh

RAM
Used 655MB Free 369MB Total 1024MB 64%

 

[SomeWhereOverTheRainBow]

Well the one good thing is consistent results, I tested cloudflare with DoT and without DoT, and it produces the same results (cleaned cache and all).

Test being conducted from RT-AC5300 and RT-AC68U

 

[Kingp1n]

RMerlin, testing with main router (RT-AC86U) and 3 nodes (RT-AC68R and 2 RT-AC68U) all running with latest stock FW with no issues so far. The DHCP static lists looks good. We'll continue to monitor.

I'm currently not using DoT but my test it just to see what it can do...

 

[SomeWhereOverTheRainBow]

without verify unsigned signatures.

 

[bluepoint]

Well the one good thing is consistent results, I tested cloudflare with DoT and without DoT, and it produces the same results (cleaned cache and all).

Test being conducted from RT-AC5300 and RT-AC68U

I think what you're seeing is the result of using cloudflare's resolver which validates DNSSEC on its own. I'm seeing the same thing. I can turnoff DNSSEC from the GUI and the results are the same.

 

[SomeWhereOverTheRainBow]

I think what you're seeing is the result of using cloudflare's resolver which validates DNSSEC on its own. I'm seeing the same thing.

these results are from having built dnssec validation turned on in conjunction with the use of these servers.
My ISP also validates DNSSEC upstream and with dnssec validation turned on I get better results using them.

 

[Kingp1n]

Without DoT and using Comcast DNS and with DNSSEC enabled:

 

[SomeWhereOverTheRainBow]

confirmed this is with comcast dns servers.

 

[SomeWhereOverTheRainBow]

googles DNS(without DoT) , but there are occasional mixed results.

AdGuard DNS without DoT

 

[Magnus33]

Sweet we shall give it a go.

I am likely one download from making my home self aware and dooming humity but for now lets enjoy )

AC86U no major issues to report so far.

 

[Gitsum]

I cannot get my AC68U to mesh with the AX88U. I tried at least 6 times and every time it will find the AC68U and try to make it a node but after the counter gets to 100, it says it can't do it at this time. The AC68U reboots 3 times during the procedure and ends up back at square 1.
I don't know what else to try. I had to put it back into repeater mode.
It did this same thing before when in another post a month or so back, a guy showed how to make the AImesh work with Merlin. Couldn't get it to work until I put official firmware on the AX88U.

 

[RMerlin]

I cannot get my AC68U to mesh with the AX88U. I tried at least 6 times and every time it will find the AC68U and try to make it a node but after the counter gets to 100, it says it can't do it at this time. The AC68U reboots 3 times during the procedure and ends up back at square 1.
I don't know what else to try. I had to put it back into repeater mode.
It did this same thing before when in another post a month or so back, a guy showed how to make the AImesh work with Merlin. Couldn't get it to work until I put official firmware on the AX88U.

Do you have any unusual configuration? I discovered the dnsmasq crash issues last night as my RT-AC88U was no longer able to add any nodes for instance, so it seems like a lot of things can interfere with AiMesh.

Also during the pairing, make sure the node is brought closer to the router (Asus mentions it should be within 3 meters).

 

[RMerlin]

Can any of the AiMesh testers try the firmware downgrade and upgrade capabilities of their nodes? Try flashing back the previous firmware, then test the Check button, as well as the link displaying release notes.

Regarding DNSSEC, this is similar to the odd behaviour I mentionned in the first post. In my case, DSA validation seem to be handled by my ISP's servers, so I get successful validation even tho DSA validation is currently disabled in dnsmasq. We'll see if @themiron can track anything there.