run unbound-anchorWorked first time but no longer works...
# DNSSEC and DNS-over-TLS
module-config: "validator iterator"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
#tls-cert-bundle: /opt/etc/ssl/certs/ca-certificates.crt
This certificate serves as validation. For me it works.tls-cert-bundle: /opt/etc/ssl/certs/ca-certificates.crt
Try the stubby hint stepsUnbound which running fine and DNSSEC went away
Ok.. It seems that when VPN Client is running on the router , even if my device is not on rules list, DNSSEC not working . When turning off VPN , DNSSEC works (even when Unbound not running and DNSSEC not enabled on GUI) .Try the stubby hint steps
# DNSSEC and DNS-over-TLS
module-config: "validator iterator"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
tls-cert-bundle: /opt/etc/ssl/certs/ca-certificates.crt
Not sure, there were commits for VPN.DNSSEC was not working with VPN.
The big issue I am having right now is turning 'local caching..' on. The clock doesn't sync after restart and I have no connection (the reason why Merlin changed to NO on default). I have to turn off local caching when rebooting the router and after clock syncing, I need to turn it off as mentioned in the guide ..The great advantage of Unbound is its validation on root servers. Only Stubby and Dnsmasq do not deliver the required reliability in queries.
you should try this with S61unboundThe big issue I am having right now is turning 'local caching..' on. The clock doesn't sync after restart and I have no connection (the reason why Merlin changed to NO on default). I have to turn off local caching when rebooting the router and after clock syncing, I need to turn it off as mentioned in the guide ..
#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
# Wait for NTP before starting
logger -st "S61unbound" "Waiting for NTP to sync before starting..."
ntptimer=0
while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
ntptimer=$((ntptimer+1))
sleep 1
done
if [ "$ntptimer" -ge "300" ]; then
logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
echo ""
exit 1
fi
fi
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS="nohup"
PRECMD="service restart_dnsmasq"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func
#!/bin/sh
if [ "$(nvram get dnspriv_enable)" = "1" ]; then
if [ "$(nvram get ntp_ready)" = "1" ]; then
if [ -f /opt/etc/init.d/S61unbound ]; then
source /usr/sbin/helper.sh
pc_delete "no-negcache" /etc/dnsmasq.conf
pc_delete "bogus-priv" /etc/dnsmasq.conf
pc_delete "domain-needed" /etc/dnsmasq.conf
pc_delete "server=127.0.1.1" /tmp/resolv.dnsmasq
pc_delete "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
pc_append "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
pc_replace "cache-size=1500" "cache-size=0" /etc/dnsmasq.conf
else
source /usr/sbin/helper.sh
pc_delete "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
pc_delete "server=127.0.1.1" /tmp/resolv.dnsmasq
pc_append "server=127.0.1.1" /tmp/resolv.dnsmasq
fi
fi
fi
if [ "$(nvram get dns_local_cache)" = "1" ]; then
{
NTPSERVERS=""
for VAR in 0 1; do
NTP="$(nvram get "ntp_server$VAR")"
[ -n "$NTP" ] && NTPSERVERS="$NTPSERVERS/$NTP"
done
[ -z "$NTPSERVERS" ] && NTPSERVERS="/pool.ntp.org"
for DNS in $(nvram get wan_dns); do
echo "server=$NTPSERVERS/$DNS"
done
for DNS in $(nvram get ipv6_get_dns); do
echo "server=$NTPSERVERS/$DNS"
done
for VAR in 1 2 3; do
DNS="$(nvram get "ipv6_dns$VAR")"
[ -n "$DNS" ] && echo "server=$NTPSERVERS/$DNS"
done
echo "server=$NTPSERVERS/127.0.1.1"
} >> "$1"
fi
Seems to me old dilemma of "chicken-egg" starts with system time still on 'Unix Epoch'. Used to solve this with hostip binary. In NTP address options, add NTP server IP numberThe biggest problem to overcome is only allowing the settings to be added once the clock syncs, because applying changes too soon will manipulate the process and order of how things occur within the router itself.
if [ "$(nvram get dns_local_cache)" = "1" ]; then
{
NTPSERVERS=""
for VAR in 0 1; do
NTP="$(nvram get "ntp_server$VAR")"
[ -n "$NTP" ] && NTPSERVERS="$NTPSERVERS/$NTP"
done
[ -z "$NTPSERVERS" ] && NTPSERVERS="/pool.ntp.org"
for DNS in $(nvram get wan_dns); do
echo "server=$NTPSERVERS/$DNS"
done
for DNS in $(nvram get ipv6_get_dns); do
echo "server=$NTPSERVERS/$DNS"
done
for VAR in 1 2 3; do
DNS="$(nvram get "ipv6_dns$VAR")"
[ -n "$DNS" ] && echo "server=$NTPSERVERS/$DNS"
done
echo "server=$NTPSERVERS/127.0.1.1"
} >> "$1"
fi
Please post the complete dnsmasq.postconf fileI added a fun little piece to the bottom of dnsmasq.postconf
#!/bin/sh
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
# Wait for NTP before starting
logger -st "S61unbound" "Waiting for NTP to sync before starting..."
ntptimer=0
while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
ntptimer=$((ntptimer+1))
sleep 1
done
if [ "$ntptimer" -ge "300" ]; then
logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
echo ""
exit 1
fi
this is what i recommend for dnsmasq.postconfPlease post the complete dnsmasq.postconf file
#!/bin/sh
if [ "$(nvram get dnspriv_enable)" = "1" ]; then
if [ "$(nvram get ntp_ready)" = "1" ]; then
if [ -f /opt/etc/init.d/S61unbound ]; then
source /usr/sbin/helper.sh
pc_delete "no-negcache" /etc/dnsmasq.conf
pc_delete "bogus-priv" /etc/dnsmasq.conf
pc_delete "domain-needed" /etc/dnsmasq.conf
pc_delete "server=127.0.1.1" /tmp/resolv.dnsmasq
pc_delete "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
pc_append "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
pc_replace "cache-size=1500" "cache-size=0" /etc/dnsmasq.conf
else
source /usr/sbin/helper.sh
pc_delete "server=127.0.1.1#5453" /tmp/resolv.dnsmasq
pc_delete "server=127.0.1.1" /tmp/resolv.dnsmasq
pc_append "server=127.0.1.1" /tmp/resolv.dnsmasq
fi
fi
fi
if [ "$(nvram get dns_local_cache)" = "1" ]; then
{
NTPSERVERS=""
for VAR in 0 1; do
NTP="$(nvram get "ntp_server$VAR")"
[ -n "$NTP" ] && NTPSERVERS="$NTPSERVERS/$NTP"
done
[ -z "$NTPSERVERS" ] && NTPSERVERS="/pool.ntp.org"
for DNS in $(nvram get wan_dns); do
echo "server=$NTPSERVERS/$DNS"
done
for DNS in $(nvram get ipv6_get_dns); do
echo "server=$NTPSERVERS/$DNS"
done
for VAR in 1 2 3; do
DNS="$(nvram get "ipv6_dns$VAR")"
[ -n "$DNS" ] && echo "server=$NTPSERVERS/$DNS"
done
echo "server=$NTPSERVERS/127.0.1.1"
} >> "$1"
fi
It's an inconvenience for me 'Wait for NTP ...' I eliminated. More may be useful in other cases.Code:#!/bin/sh if [ "$1" = "start" ] || [ "$1" = "restart" ]; then # Wait for NTP before starting logger -st "S61unbound" "Waiting for NTP to sync before starting..." ntptimer=0 while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do ntptimer=$((ntptimer+1)) sleep 1 done if [ "$ntptimer" -ge "300" ]; then logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!" echo "" exit 1 fi
you should try this with S61unbound
Code:#!/bin/sh if [ "$1" = "start" ] || [ "$1" = "restart" ]; then # Wait for NTP before starting logger -st "S61unbound" "Waiting for NTP to sync before starting..." ntptimer=0 while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do ntptimer=$((ntptimer+1)) sleep 1 done if [ "$ntptimer" -ge "300" ]; then logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!" echo "" exit 1 fi fi export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH export TZ=$(cat /etc/TZ) ENABLED=yes PROCS=unbound ARGS="-c /opt/var/lib/unbound/unbound.conf" PREARGS="nohup" PRECMD="service restart_dnsmasq" DESC=$PROCS PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin . /opt/etc/init.d/rc.func
and this with dnsmasq.postconf
Code:#!/bin/sh if [ "$(nvram get dnspriv_enable)" = "1" ]; then if [ "$(nvram get ntp_ready)" = "1" ]; then if [ -f /opt/etc/init.d/S61unbound ]; then source /usr/sbin/helper.sh pc_delete "no-negcache" /etc/dnsmasq.conf pc_delete "bogus-priv" /etc/dnsmasq.conf pc_delete "domain-needed" /etc/dnsmasq.conf pc_delete "server=127.0.1.1" /tmp/resolv.dnsmasq pc_delete "server=127.0.1.1#5453" /tmp/resolv.dnsmasq pc_append "server=127.0.1.1#5453" /tmp/resolv.dnsmasq pc_replace "cache-size=1500" "cache-size=0" /etc/dnsmasq.conf else source /usr/sbin/helper.sh pc_delete "server=127.0.1.1#5453" /tmp/resolv.dnsmasq pc_delete "server=127.0.1.1" /tmp/resolv.dnsmasq pc_append "server=127.0.1.1" /tmp/resolv.dnsmasq fi fi fi if [ "$(nvram get dns_local_cache)" = "1" ]; then { NTPSERVERS="" for VAR in 0 1; do NTP="$(nvram get "ntp_server$VAR")" [ -n "$NTP" ] && NTPSERVERS="$NTPSERVERS/$NTP" done [ -z "$NTPSERVERS" ] && NTPSERVERS="/pool.ntp.org" for DNS in $(nvram get wan_dns); do echo "server=$NTPSERVERS/$DNS" done for DNS in $(nvram get ipv6_get_dns); do echo "server=$NTPSERVERS/$DNS" done for VAR in 1 2 3; do DNS="$(nvram get "ipv6_dns$VAR")" [ -n "$DNS" ] && echo "server=$NTPSERVERS/$DNS" done echo "server=$NTPSERVERS/127.0.1.1" } >> "$1" fi
it handles the clock syncing problem by only apply modifications only when the clock is synced and if your storage is mounted else it will use regular dnsmasq.
The biggest problem to overcome is only allowing the settings to be added once the clock syncs, because applying changes too soon will manipulate the process and order of how things occur within the router itself.
Edit: I added an extra piece to the bottom of dnsmasq.postconf
The only reason I do not go the route of using a direct IP, for ntp service, is because there may be multiple IP's attached to an ntp server and you would lose out on the benefit of it switching to another IP if the ip you have in its place fails or goes down.Test add IP number NTP without script wait NTP
if [ "$(nvram get dns_local_cache)" = "1" ]; then
{
NTPSERVERS=""
for VAR in 0 1; do
NTP="$(nvram get "ntp_server$VAR")"
[ -n "$NTP" ] && NTPSERVERS="$NTPSERVERS/$NTP"
done
[ -z "$NTPSERVERS" ] && NTPSERVERS="/pool.ntp.org"
for DNS in $(nvram get wan_dns); do
echo "server=$NTPSERVERS/$DNS"
done
for DNS in $(nvram get ipv6_get_dns); do
echo "server=$NTPSERVERS/$DNS"
done
for VAR in 1 2 3; do
DNS="$(nvram get "ipv6_dns$VAR")"
[ -n "$DNS" ] && echo "server=$NTPSERVERS/$DNS"
done
echo "server=$NTPSERVERS/127.0.1.1"
} >> "$1"
fi
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!