Thanks Dave. One liner change in "other.zone" and dnssec worked seamlessly on my home network!! (except bug 113) Fix - 1. Add below line to "/etc/chroot/named/etc/bind/default/other.zones" "zone "." { type hint; file "/etc/bind/default/root.db"; };" 2. Comment out existing two lines - zone "." { type slave ..." and zone "arpa" { type slave ..." These two zones have masters explicitly specified as 192.5.5.241 (which doesnt work here) f-root (192.5.5.241) is not pingable from my home ISP (but from my office network). It's really weird. Thanks, Ketan On Fri, Mar 16, 2012 at 12:08 AM, Dave Taht wrote: > While I'm at this, I note that we do also include dnsmasq in cerowrt, > and include the full openwrt gui for such. > > You can easily deconfigure bind and replace it with dnsmasq by: > > mv /etc/xinetd.d/named /etc/named.old > killall -1 xinetd > killall named > vi /etc/config/dhcp > > and change the port 0 line to be port 53 > > /etc/init.d/dnsmasq restart # or just reboot > > and that should enable dnsmasq instead of bind. > > I note that what is in 3.3rc7 and later is actually the most > bleeding-edge-ist > dnsmasq, which includes (untested, hint, hint) support for dnssec proxying, > as well as ra announcements and some support for serving up dhcpv6. > > dnsmasq is much better integrated into the openwrt gui, as well. > > In losing bind, the ability to have split views, act as an internet > peer, etc, etc > are all lost, and I'd prefer to keep hacking on bind, but the new dnsmasq > could > use some love expended on it too, asI expect the new version to be standard > are far more cpe than bind ever will be. > > This new version of dnsmasq should be out in final form soon. > > (and as I side note, because I can't stand vi, I have an emacs clone > in the build > called zile) > > > On Thu, Mar 15, 2012 at 11:19 AM, Dave Taht wrote: > > I hope you don't mind, but I prefer to always answer questions like these > > publicly. > > > > On Thu, Mar 15, 2012 at 10:55 AM, Ketan Kulkarni > wrote: > >> Hi Dave, > >> I bought wndr3800 and now setting up the cerowrt on it. > > > > Yea! > > > >> I am getting few issues in setting up dns server. > >> Observation: nslookup from my laptop through cerowrt fails > >> > >> Thanks jg for many dns related pointers - still I must have missed > something > >> to get it working. > >> > >> Few things I tried (few of them really dumb) - > >> 1. Time and zone is properly set on cerowrt box > >> 2. Restarted namedprep and named everytime > > > > At one level I'm glad we're exposing potential problems with getting > > dnssec deployed more widely. > > > > At another level, it frustrates me. > > > >> 3. Also tried modifying > >> dnssec-validation auto to off; > >> dnssec-lookaside auto to off; and then restarting named but it didnt > help > >> either. > > > > To debug these sorts of problems I usually use a command to continuously > > read the syslog > > > > openwrt# logread -f & > > > > and then watch stuff like 'killing off the dns server and restarting' go. > > > > # killall named > > # nslookup ::1 # should return localhost after named restarts > > # rndc validation disable # is a command you can issue to turn off > validation > > # host www.lwn.net # repeat a few times > > # your clock should slew inside of about > > # > > Here are the potential problems. > > > > 0) Are you on a real ip address or behind levels of nat? > > > > 1) If you are behind someone elses firewall, it may be that you cannot > > get dns through it. In many locations dns packets are blocked, and dns > > is only available from the local dns server. > > > > 2) in some locations dns access to the roots is blocked > > > > 3) in some places the local dns server is too lame to recurse properly > > or handle ipv6 > > > > 4) in others NTP is blocked > > > >> > >> 4. Added my lan subnet entry in "acls.local.conf" - in vain. > > > > It is a good idea that you do so. > > > >> 5. added my dns servers in forwarders.conf > > > > That should have worked, unless your dns servers were lame. > > > > Did you try 8.8.8.8 as a forwarder? > > > >> If I configure any open dns server like 8.8.8.8; everything works > properly > >> (as expected). > >> > >> Waited to catch you - but its almost midnight here - so thought to put > it in > >> the mail > > > > I went to bed early last night (flu), and woke up late (more flu) > > > >> > >> Appreciate your help. > >> > >> Thanks, > >> Ketan > >> > >> p.s. firmware is cerowrt-3.3rc7.2 > > > > > > > > -- > > Dave Täht > > SKYPE: davetaht > > US Tel: 1-239-829-5608 > > http://www.bufferbloat.net > > > > -- > Dave Täht > SKYPE: davetaht > US Tel: 1-239-829-5608 > http://www.bufferbloat.net >