I noticed today that attempts to visit www.cloudflare.com and other subdomains seem to be failing on the latest CeroWRT (3.10.36-4) when DNSSEC checks are enabled, but not if I query Google DNS directly. The resulting queries are: root@cerowrt:~# dig www.cloudflare.com A IN ; <<>> DiG 9.9.4 <<>> www.cloudflare.com A IN ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23776 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.cloudflare.com. IN A ;; Query time: 808 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Apr 12 11:04:10 UTC 2014 ;; MSG SIZE rcvd: 47 root@cerowrt:~# dig +adflag www.cloudflare.com A IN ; <<>> DiG 9.9.4 <<>> +adflag www.cloudflare.com A IN ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3689 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.cloudflare.com. IN A ;; Query time: 913 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Apr 12 11:04:21 UTC 2014 ;; MSG SIZE rcvd: 47 root@cerowrt:~# dig +cdflag www.cloudflare.com A IN ; <<>> DiG 9.9.4 <<>> +cdflag www.cloudflare.com A IN ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19768 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.cloudflare.com. IN A ;; ANSWER SECTION: www.cloudflare.com. 297 IN CNAME www.cloudflare.com.cdn.cloudflare.net. www.cloudflare.com.cdn.cloudflare.net. 297 IN CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 297 IN A 198.41.212.157 cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 297 IN A 198.41.213.157 ;; Query time: 22 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Apr 12 11:04:26 UTC 2014 ;; MSG SIZE rcvd: 169 root@cerowrt:~# dig @8.8.8.8 www.cloudflare.com A IN ; <<>> DiG 9.9.4 <<>> @8.8.8.8 www.cloudflare.com A IN ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31488 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.cloudflare.com. IN A ;; ANSWER SECTION: www.cloudflare.com. 84 IN CNAME www.cloudflare.com.cdn.cloudflare.net. www.cloudflare.com.cdn.cloudflare.net. 166 IN CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 166 IN A 198.41.213.157 cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 166 IN A 198.41.212.157 ;; Query time: 22 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sat Apr 12 11:04:35 UTC 2014 ;; MSG SIZE rcvd: 169 root@cerowrt:~# dig @8.8.8.8 +adflag www.cloudflare.com A IN ; <<>> DiG 9.9.4 <<>> @8.8.8.8 +adflag www.cloudflare.com A IN ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59486 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.cloudflare.com. IN A ;; ANSWER SECTION: www.cloudflare.com. 77 IN CNAME www.cloudflare.com.cdn.cloudflare.net. www.cloudflare.com.cdn.cloudflare.net. 159 IN CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 159 IN A 198.41.213.157 cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 159 IN A 198.41.212.157 ;; Query time: 22 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sat Apr 12 11:04:41 UTC 2014 ;; MSG SIZE rcvd: 169 root@cerowrt:~# dig @8.8.8.8 +cdflag www.cloudflare.com A IN ; <<>> DiG 9.9.4 <<>> @8.8.8.8 +cdflag www.cloudflare.com A IN ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43503 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.cloudflare.com. IN A ;; ANSWER SECTION: www.cloudflare.com. 69 IN CNAME www.cloudflare.com.cdn.cloudflare.net. www.cloudflare.com.cdn.cloudflare.net. 151 IN CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 151 IN A 198.41.213.157 cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 151 IN A 198.41.212.157 ;; Query time: 26 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sat Apr 12 11:04:48 UTC 2014 ;; MSG SIZE rcvd: 169 root@cerowrt:~# Can anyone explain why this should be the case? -- Robert Bradley