08 January 2011


I am up for more. I am generally very thisty for the "new things out there". So after successfully enabling IPv6 from yesterday's post I was thinking "hey there is already DNSSEC out there - let me use it".

First things first

On here is a site whether your resolvers supports EDNS, that are DNS packets bigger then 512 bytes. DNSSEC requires that. I had a big problem with that. I am running OpenWRT Backfire 10.03 on my WRT54GL. Unfortunately flash space is a premium on that - I quickly grabbed my old WRAP board with a 128MB CompacyFlash and installed OpenWRT as well, just the x86 version.

I figured I had two options, either to use DNSMasq or Bind with DNSSEC support. DNSMasq supports according to this forum's post EDNS.

After some time I figured that OpenDNS does not support EDNS at all. So I disabled it as a forwarder.

Next problem was with DNSMasq. Configuring Bind to query the root nameservers is not a big deal and I just didnt spend the time to get up2speed with DNSMasq.

Ok, but when I did a query with

$ dig . dnskey
;; Truncated, retrying in TCP mode.

I realized that the solution was already there.

Finally, when I did the "test dig" as

$ dig +bufsize=1024 rs.dns-oarc.net txt

all was good, no more truncated. And in the end I got what I wanted to achieve:

$ dig +bufsize=1024 +short rs.dns-oarc.net txt
" DNS reply size limit is at least 3843"
"Tested at 2011-01-08 16:43:42 UTC"
" sent EDNS buffer size 4096"


OpenWRT only offers Bind in version 9.6.1 patchlevel 2, which is in regards to DNSSEC quite old. Long story short, I installed quite recent Bind 9.7.1 and enabled DNSSEC on there. Done in 5 minutes - see the links above.

A lots has changed, some websites were writing in regards to DNSSEC. Bind can for example also update automatically the root-key for "."... oi!

I noticed that .com also has valid DNSSEC data and I have a .com domain. .co.uk has some data, but dig doesnt show they can be authenticated against ("ad" bit is not set.)

blog comments powered by Disqus