<span style="font-family:courier new,monospace">Thanks Dave. <br>One liner change in "other.zone" and dnssec worked seamlessly on my home network!! (except bug 113)</span><br style="font-family:courier new,monospace">
<span style="font-family:courier new,monospace"></span><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">Fix -</span><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">1. Add below line to "/etc/chroot/named/etc/bind/default/other.zones"</span><br style="font-family:courier new,monospace">
<span style="font-family:courier new,monospace"> "zone "." { type hint; file "/etc/bind/default/root.db"; };"</span><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">2. Comment out existing two lines -</span><br style="font-family:courier new,monospace">
<span style="font-family:courier new,monospace"> zone "." { type slave ..."</span><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace"> and </span><br style="font-family:courier new,monospace">
<span style="font-family:courier new,monospace"> zone "arpa" { type slave ..."</span><br style="font-family:courier new,monospace"><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">These two zones have masters explicitly specified as 192.5.5.241 (which doesnt work here)</span><br style="font-family:courier new,monospace">
<br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">f-root (192.5.5.241) is not pingable from my home ISP (but from my office network). It's really weird.</span><br style="font-family:courier new,monospace">
<br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace"></span><span style="font-family:courier new,monospace">Thanks,</span><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">Ketan</span><br style="font-family:courier new,monospace">
<br><br></span><div class="gmail_quote">On Fri, Mar 16, 2012 at 12:08 AM, Dave Taht <span dir="ltr"><<a href="mailto:dave.taht@gmail.com" target="_blank">dave.taht@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
While I'm at this, I note that we do also include dnsmasq in cerowrt,<br>
and include the full openwrt gui for such.<br>
<br>
You can easily deconfigure bind and replace it with dnsmasq by:<br>
<br>
mv /etc/xinetd.d/named /etc/named.old<br>
killall -1 xinetd<br>
killall named<br>
vi /etc/config/dhcp<br>
<br>
and change the port 0 line to be port 53<br>
<br>
/etc/init.d/dnsmasq restart # or just reboot<br>
<br>
and that should enable dnsmasq instead of bind.<br>
<br>
I note that what is in 3.3rc7 and later is actually the most bleeding-edge-ist<br>
dnsmasq, which includes (untested, hint, hint) support for dnssec proxying,<br>
as well as ra announcements and some support for serving up dhcpv6.<br>
<br>
dnsmasq is much better integrated into the openwrt gui, as well.<br>
<br>
In losing bind, the ability to have split views, act as an internet<br>
peer, etc, etc<br>
are all lost, and I'd prefer to keep hacking on bind, but the new dnsmasq could<br>
use some love expended on it too, asI expect the new version to be standard<br>
are far more cpe than bind ever will be.<br>
<br>
This new version of dnsmasq should be out in final form soon.<br>
<br>
(and as I side note, because I can't stand vi, I have an emacs clone<br>
in the build<br>
called zile)<br>
<div><div><br>
<br>
On Thu, Mar 15, 2012 at 11:19 AM, Dave Taht <<a href="mailto:dave.taht@gmail.com" target="_blank">dave.taht@gmail.com</a>> wrote:<br>
> I hope you don't mind, but I prefer to always answer questions like these<br>
> publicly.<br>
><br>
> On Thu, Mar 15, 2012 at 10:55 AM, Ketan Kulkarni <<a href="mailto:ketkulka@gmail.com" target="_blank">ketkulka@gmail.com</a>> wrote:<br>
>> Hi Dave,<br>
>> I bought wndr3800 and now setting up the cerowrt on it.<br>
><br>
> Yea!<br>
><br>
>> I am getting few issues in setting up dns server.<br>
>> Observation: nslookup from my laptop through cerowrt fails<br>
>><br>
>> Thanks jg for many dns related pointers - still I must have missed something<br>
>> to get it working.<br>
>><br>
>> Few things I tried (few of them really dumb) -<br>
>> 1. Time and zone is properly set on cerowrt box<br>
>> 2. Restarted namedprep and named everytime<br>
><br>
> At one level I'm glad we're exposing potential problems with getting<br>
> dnssec deployed more widely.<br>
><br>
> At another level, it frustrates me.<br>
><br>
>> 3. Also tried modifying<br>
>> dnssec-validation auto to off;<br>
>> dnssec-lookaside auto to off; and then restarting named but it didnt help<br>
>> either.<br>
><br>
> To debug these sorts of problems I usually use a command to continuously<br>
> read the syslog<br>
><br>
> openwrt# logread -f &<br>
><br>
> and then watch stuff like 'killing off the dns server and restarting' go.<br>
><br>
> # killall named<br>
> # nslookup ::1 # should return localhost after named restarts<br>
> # rndc validation disable # is a command you can issue to turn off validation<br>
> # host <a href="http://www.lwn.net" target="_blank">www.lwn.net</a> # repeat a few times<br>
> # your clock should slew inside of about<br>
> #<br>
> Here are the potential problems.<br>
><br>
> 0) Are you on a real ip address or behind levels of nat?<br>
><br>
> 1) If you are behind someone elses firewall, it may be that you cannot<br>
> get dns through it. In many locations dns packets are blocked, and dns<br>
> is only available from the local dns server.<br>
><br>
> 2) in some locations dns access to the roots is blocked<br>
><br>
> 3) in some places the local dns server is too lame to recurse properly<br>
> or handle ipv6<br>
><br>
> 4) in others NTP is blocked<br>
><br>
>><br>
>> 4. Added my lan subnet entry in "acls.local.conf" - in vain.<br>
><br>
> It is a good idea that you do so.<br>
><br>
>> 5. added my dns servers in forwarders.conf<br>
><br>
> That should have worked, unless your dns servers were lame.<br>
><br>
> Did you try 8.8.8.8 as a forwarder?<br>
><br>
>> If I configure any open dns server like 8.8.8.8; everything works properly<br>
>> (as expected).<br>
>><br>
>> Waited to catch you - but its almost midnight here - so thought to put it in<br>
>> the mail<br>
><br>
> I went to bed early last night (flu), and woke up late (more flu)<br>
><br>
>><br>
>> Appreciate your help.<br>
>><br>
>> Thanks,<br>
>> Ketan<br>
>><br>
>> p.s. firmware is cerowrt-3.3rc7.2<br>
><br>
><br>
><br>
> --<br>
> Dave Täht<br>
> SKYPE: davetaht<br>
> US Tel: 1-239-829-5608<br>
> <a href="http://www.bufferbloat.net" target="_blank">http://www.bufferbloat.net</a><br>
<br>
<br>
<br>
--<br>
Dave Täht<br>
SKYPE: davetaht<br>
US Tel: 1-239-829-5608<br>
<a href="http://www.bufferbloat.net" target="_blank">http://www.bufferbloat.net</a><br>
</div></div></blockquote></div><br>