Simon Kelley writes: > I've just pushed a load of changes to git, and tagged 2.69test8 Built and installed on my cerowrt box, and seems to work beautifully: Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: query[A] files.toke.dk from 10.42.0.7 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: forwarded files.toke.dk to 213.80.98.3 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: forwarded files.toke.dk to 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: dnssec-query[DNSKEY] toke.dk to 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: dnssec-query[DS] toke.dk to 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: dnssec-query[DNSKEY] dk to 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: dnssec-query[DS] dk to 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: dnssec-query[DNSKEY] . to 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply . is DNSKEY keytag 33655 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply . is DNSKEY keytag 19036 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply dk is DS keytag 26887 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply dk is DNSKEY keytag 61294 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply dk is DNSKEY keytag 31369 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply dk is DNSKEY keytag 26887 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply dk is DNSKEY keytag 7665 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply toke.dk is DS keytag 65122 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply toke.dk is DNSKEY keytag 22551 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply toke.dk is DNSKEY keytag 65122 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: dnssec-query[DNSKEY] tohojo.dk to 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: dnssec-query[DS] tohojo.dk to 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply tohojo.dk is DS keytag 49471 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply tohojo.dk is DNSKEY keytag 49471 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply tohojo.dk is DNSKEY keytag 30141 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: validation result is SECURE Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply files.toke.dk is Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply web2.tohojo.dk is 144.76.141.113 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: query[AAAA] files.toke.dk from 10.42.0.7 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: cached files.toke.dk is Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: forwarded files.toke.dk to 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: validation result is SECURE Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply files.toke.dk is Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: reply web2.tohojo.dk is 2a01:4f8:200:3141::102 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: query[MX] files.toke.dk from 10.42.0.7 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: forwarded files.toke.dk to 213.80.98.2 Tue Feb 11 14:44:38 2014 daemon.info dnsmasq[6162]: validation result is SECURE As for client-side tests: $ dig +sigchase files.toke.dk @10.42.0.8 ...snip... Launch a query to find a RRset of type DS for zone: . ;; NO ANSWERS: no more ;; WARNING There is no DS for the zone: . ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING DS RRset for dk. with DNSKEY:33655: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036 ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS I've also updated the x86 builds on OBS: https://build.opensuse.org/package/repositories/home:tohojo:dnsmasq/dnsmasq -Toke