OK, so I've tried building dnsmasq on cerowrt, from git head. It seems to have some trouble validating stuff: Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: forwarded mail2.tohojo.dk to 213.80.98.2 Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DNSKEY] tohojo.dk to 213.80.98.2 Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DS] tohojo.dk to 213.80.98.2 Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DNSKEY] dk to 213.80.98.2 Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DS] dk to 213.80.98.2 Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: reply dk is BOGUS DS Sun Feb 9 13:04:24 2014 daemon.info dnsmasq[6456]: validation result is BOGUS This is with dnssec-debug turned on. I'm not entirely sure how to go about debugging this, but FWIW this works: $ dig +dnssec +sigchase mail2.tohojo.dk @213.80.98.2 ...snip... ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING DS RRset for dk. with DNSKEY:33655: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036 ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS Whereas going through the dnsmasq server fails: $ dig +dnssec +sigchase mail2.tohojo.dk @10.42.8.1 ...snip... ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING DS RRset for tohojo.dk. with DNSKEY:61294: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Now, we are going to validate this DNSKEY by the DS ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for dk. with DNSKEY:26887: success ;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset ;; Now, we want to validate the DS : recursive call Launch a query to find a RRset of type DNSKEY for zone: . ;; DNSKEYset that signs the RRset to chase: . 0 IN DNSKEY 256 3 8 AwEAAYRU41/8smgAvuSojEP4jaj5Yll7WPaUKpYvnz2pnX2VIvRn4jsy Jns80bloenG6X9ebJVy2CFtZQLKHP8DcKmIFotdgs2HolyocY1am/+33 4RtzusM2ojkhjn1FRGtuSE9s2TSz1ISv0yVnFyu+EP/ZkiWnDfWeVrJI SEWBEr4V . 0 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= . 0 IN DNSKEY 256 3 8 AwEAAb8sU6pbYMWRbkRnEuEZw9NSir707TkOcF+UL1XiK4NDJOvXRyX1 95Am5dQ7bRnnuySZ3daf37vvjUUhuIWUAQ4stht8nJfYxVQXDYjSpGH5 I6Hf/0CZEoNP6cNvrQ7AFmKkmv00xWExKQjbvnRPI4bqpMwtHVzn6Wyb BZ6kuqED Launch a query to find a RRset of type RRSIG for zone: . ;; RRSIG for DNSKEY is missing to continue validation : FAILED Not really sure what to make of this? -Toke