[Release] Asuswrt-Merlin 384.6 is now available

[RMerlin]

I agree, DNSSEC support should surely be transparently ‘on’, or ‘off’.
Catering for various resolvers apparent inability to implement DNSSEC properly can only end in tears.
Just my 10 cents worth....

Especially as not using strict mode means DNSSEC might not be working at all, and one wouldn't even know it...

I originally added it on my fork to be able to 'set' the option, exactly for the reasons you said. Now I consider it more of a diagnostic tool that should not be left disabled. (i.e. you can disable it, run a check on a DNSSEC test site to make sure DNSSEC is working, and it is indeed just a specific site or sites that are failing).

I also improved the logging of invalid DS replies, this will probably be even more useful as a debugging tool, so people will be able to tell who to point the finger at if things don't work properly. I suspect that in most cases, the fault lies with the domain, not with dnsmasq.

Too bad nslookup doesn't report the response flags, otherwise a simple test could have been implemented in the firmware. fwupdate.lostrealm.ca should have the AD flag set when using a working DNSSEC resolver. Using dig:

Right:

merlin@ubuntu-dev:~$ dig fwupdate.lostrealm.ca @192.168.10.1

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> fwupdate.lostrealm.ca @192.168.10.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35551
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;fwupdate.lostrealm.ca.        IN    A

;; ANSWER SECTION:
fwupdate.lostrealm.ca.    300    IN    A    104.27.144.248
fwupdate.lostrealm.ca.    300    IN    A    104.27.145.248

;; Query time: 76 msec
;; SERVER: 192.168.10.1#53(192.168.10.1)
;; WHEN: Fri Aug 17 15:33:47 EDT 2018
;; MSG SIZE  rcvd: 82

Wrong:

merlin@ubuntu-dev:~$ dig fwupdate.lostrealm.ca @4.2.2.2

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> fwupdate.lostrealm.ca @4.2.2.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10743
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;fwupdate.lostrealm.ca.        IN    A

;; ANSWER SECTION:
fwupdate.lostrealm.ca.    55    IN    A    104.27.145.248
fwupdate.lostrealm.ca.    55    IN    A    104.27.144.248

;; Query time: 23 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Fri Aug 17 15:33:52 EDT 2018
;; MSG SIZE  rcvd: 82

 

[john9527]

I also improved the logging of invalid DS replies, this will probably be even more useful as a debugging tool, so people will be able to tell who to point the finger at if things don't work properly. I suspect that in most cases, the fault lies with the domain, not with dnsmasq.

Just an FYI....I tweaked my original change here as when the server really doesn't support DNSSEC it spews semi-garbage and the original message really was better.

EDIT: I've also thought about enabling the log with dnssec-check-unisgned set to no, but haven't had the time to look at that yet.

 

[RMerlin]

Just an FYI....I tweaked my original change here as when the server really doesn't support DNSSEC it spews semi-garbage and the original message really was better.

EDIT: I've also thought about enabling the log with dnssec-check-unisgned set to no, but haven't had the time to look at that yet.

I reworded the original message a bit, making it less definitive as to the cause.

https://github.com/RMerl/asuswrt-merlin.ng/commit/7a469ebda3f3c379840afe3e539c842ef50c6b11

Unfortunately, I have yet to see that message in my own log, so no idea if it works as expected...

 

[HowIFix]

@RMerlin Then remove it, if you are not sure to add it, I do not know who suggested it , but I understand that it is not a problem dnsmasq or firmware , the real problem for me, is that 99% of free DNS servers lie to us, we are the product. (as I contradict myself)

 

[drago122]

I have a problem every time I restart the router I have to manually reconnect the vpn, it is not possible to make sure that the restart automatically connects to the vpn that had at the time of shutdown? On the official firmware it did it automatically.
Thank you

 

[D_Day]

I have a problem every time I restart the router I have to manually reconnect the vpn, it is not possible to make sure that the restart automatically connects to the vpn that had at the time of shutdown? On the official firmware it did it automatically.
Thank you

Have you made sure that automatic start at boot time is checked under VPN client?

 

[drago122]

Have you made sure that automatic start at boot time is checked under VPN client?

Thank you so much was that the problem I had not seen that setting.

 

[Marin]

I can not find this setting, where it is??

It is located below the toggle button that turns your VPN access on/off. Choose “Yes” as your option.


Sent from my iPhone using Tapatalk

 

[pr0jects]

Coming from an old version, the update went smooth without any problems on my AC88U. Factory reset also done.

At the moment I´m fighting with the OpenVPN Server - The iPhone App tries to connect the router but the connection will not be established.
Any idea what I´m doing wrong?

thx

From the log-file:

pls help - did I miss something?
thx

 

[Wadadli]

I am running 384.6 on my 5300 and have installed the post-mount script to start an NTP server on it. (as per insructions in Merlin's wiki) I notice, however, that the script does NOT run after a reboot. I have done chmod on the script to make it executable and enabled custom scripts in the gui. I have to SSH into the router and manually run the script in order to start the NTP server. Anyone else ?

 

[M@rco]

@Wadadli: have you checked whether the script actually runs at boot? Is it in /jffs/scripts and in the correct format?

Add a line like

touch /tmp/000ntpstarted

near the beginning of post-mount (but after the shebang) and check the tmp folder after boot for this file to see whether it's created and/or whether its time stamp has changed. If it exists, check syslog for any errors.

(from the user scripts tutorial in the wiki)

 

[Zastoff]

pls help - did I miss something?
thx

What happens in routers syslog when you try to connect?

 

[amaiman]

Successfully upgraded to 384.6 on my RT-AC68U (had to do some outside research first due to new policies on this forum, but it works fine). I saw that the changelog includes an IPv6 fix (this one, I assume: https://github.com/RMerl/asuswrt-merlin.ng/commit/acacdf81ec9cb7ab96e6226d5b8263fb6e8a7ac0 ) Thanks, themiron. Hopefully that will save me from having to run "service wan_restart" when my IPv6 would drop at random intervals on 384.5.

 

[alexcc59]

Is there any expectation ASUS will update the source code for rt-ac87u

Trimis de pe al meu ONEPLUS A3000 folosind Tapatalk

I notice that ASUS has just release the source code Version 3.0.0.4.382.50702 for AC87U

http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC87U/GPL_RT_AC87U_300438250702.zip

 

[Wadadli]

@Wadadli: have you checked whether the script actually runs at boot? Is it in /jffs/scripts and in the correct format?

Add a line like

touch /tmp/000ntpstarted

near the beginning of post-mount (but after the shebang) and check the tmp folder after boot for this file to see whether it's created and/or whether its time stamp has changed. If it exists, check syslog for any errors.

(from the user scripts tutorial in the wiki)

I am sure the script never runs because I see nothing in the logs that the init of the NTP server succeeded or failed. The comments only show in the logs after I manually run the script.

 

[shsdking]

More like I can't touch it any longer. I used to, but now Asus has moved that code to a closed source component specifically to prevent bypassing it...

Thanks for the hint! I found the component and patched it for myself, so now I have 384.7 alpha working perfectly with English as a language.

 

[Grisu]

Thanks for the hint! I found the component and patched it for myself, so now I have 384.7 alpha working perfectly with English as a language.

Could you please help others how exactly you've done?
Many got a chinese version and now lost all other languages (leaving chinese and english) with last stock or Merlin.

 

[triple]

- NOTE: The RT-AC87U is not supported in this release, as
Asus hasn't released any updated code for that model.
84.6 (25-July-2018)

INFO:

GPL of ASUS RT-AC87U for firmware 3.0.0.4.382.50702

http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC87U/GPL_RT_AC87U_300438250702.zip

 

[FadgewackeR]

I'm pretty sure that @RMerlin will be well aware of the release of the code folks... give the man time to wake up!

 

[ColinTaylor]

I'm pretty sure that @RMerlin will be well aware of the release of the code folks... give the man time to wake up!

Indeed, and it was already reported in post #514.