On 11/04/2015 16:03, Marc Petit-Huguenin wrote:
> On 03/30/2015 12:42 PM, Dave Taht wrote:
>> for cerowrt-3.10? Really wasn't planning on it. Didn't even know there
>> was a problem til today...
> So I suppose that means that Cerowrt is now unmaintained and that I should switch to something else, because my job requires near constant access to www.ietf.org and I will not disable DNSSEC.
>
> So, what would you recommend for my WNDR3800?
>
> Thanks.

Openwrt chaos calmer trunk (latest) as of a day ago has dnsmasq 2.73rc4
with suitable handling for DNSSEC.   Certainly I've DNSSEC enabled and
can browse the site you mention without obvious problem.

The automatic determination of 'valid current time' and hence checking
signature timestamps has an issue:  The startup script uses 'touch -t
1970epoch timestampfile' to pre-create a timestamp file which slightly
defeats the inbuilt dnsmasq logic...not helped by the fact '-t' is an
invalid option.