Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9
Le dimanche 14 juin 2015 19:44:14, vous avez écrit : Hi, On Sun, Jun 14, 2015 at 9:06 AM, Stéphane Guedon steph...@22decembre.eu wrote: Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit : A user on my service, who has dnssec-check-unsigned enabled gets an unsigned response from a signed zone and the intended reaction of dnsmasq kicks in. Not a bug then. Is my understanding correct? As far as I understand, I have the same issue (except that dnsmasq itself is serving the non signed zone and unbound the signed) ! To solve that, I propose to make the unsigned zone on another domain or zone than the signed one. server.domain.org is signed and the public face of your server. server.intern.domain.org is unsigned. Your users can then use this address, and the dns can still have different answer depending where they are. Do you understand me ? Do you think it is a good idea ? (I am thinking of using it for my case). Yes, I understand, I think it would work and it's a clever workaround for the issue, however in my case it does not help to maintain the end goal which was to provide authenticated response to that domain so that it is always trustworthy. That actually is becoming a DNSSEC question. Is there a way to provide split-horizon answers on signed zones? Can one name have 2 different valid answers and RRSIGs? perhaps if the signature could be for a name/ttl pair, not just the name and have different ttls on those names? Dunno. Perhaps me trying to use dns records to test whether the responses are coming over dnscrypt or not is flawed in nature. Thanks anyway, Maciej Actually, it works at first glance (basic resolution and connectivity works), but it fails fast : when you have to work on your website that is hosted on your home server, nothing works anymore ! So I am returning to my previous setup before wondering what I should do. I am going to write an article about this and all the workarounds that have been tried. Maybe it will then give me an idea on the solution. -- The file signature.asc is not attached to be read by you. It's a digital signature by GPG. If you want to know why I use it, and why you should as well, you can read my article there: http://www.22decembre.eu/2015/03/21/introduction-en/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9
Le dimanche 14 juin 2015 19:44:14, vous avez écrit : Hi, On Sun, Jun 14, 2015 at 9:06 AM, Stéphane Guedon steph...@22decembre.eu wrote: Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit : A user on my service, who has dnssec-check-unsigned enabled gets an unsigned response from a signed zone and the intended reaction of dnsmasq kicks in. Not a bug then. Is my understanding correct? As far as I understand, I have the same issue (except that dnsmasq itself is serving the non signed zone and unbound the signed) ! To solve that, I propose to make the unsigned zone on another domain or zone than the signed one. server.domain.org is signed and the public face of your server. server.intern.domain.org is unsigned. Your users can then use this address, and the dns can still have different answer depending where they are. Do you understand me ? Do you think it is a good idea ? (I am thinking of using it for my case). Yes, I understand, I think it would work and it's a clever workaround for the issue, however in my case it does not help to maintain the end goal which was to provide authenticated response to that domain so that it is always trustworthy. That actually is becoming a DNSSEC question. Is there a way to provide split-horizon answers on signed zones? Can one name have 2 different valid answers and RRSIGs? perhaps if the signature could be for a name/ttl pair, not just the name and have different ttls on those names? Dunno. Perhaps me trying to use dns records to test whether the responses are coming over dnscrypt or not is flawed in nature. Thanks anyway, Maciej Actually, it works at first glance (basic resolution and connectivity works), but it fails fast : when you have to work on your website that is hosted on your home server, nothing works anymore ! So I am returning to my previous setup before wondering what I should do. I am going to write an article about this and all the workarounds that have been tried. Maybe it will then give me an idea on the solution. -- The file signature.asc is not attached to be read by you. It's a digital signature by GPG. If you want to know why I use it, and why you should as well, you can read my article there: http://www.22decembre.eu/2015/03/21/introduction-en/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9
Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit : I think I have discovered what the problem is and it's unlikely to be dnsmasq. What I do is that I have a setup which is basically a split horizon: - users who are not on the service get A record for using.dnscrypt from a DNSSEC signed zone - users who are on the service get *a different* A record for using.dnscrypt.pl from unbound, without sigs! A user on my service, who has dnssec-check-unsigned enabled gets an unsigned response from a signed zone and the intended reaction of dnsmasq kicks in. Not a bug then. Is my understanding correct? As far as I understand, I have the same issue (except that dnsmasq itself is serving the non signed zone and unbound the signed) ! To solve that, I propose to make the unsigned zone on another domain or zone than the signed one. server.domain.org is signed and the public face of your server. server.intern.domain.org is unsigned. Your users can then use this address, and the dns can still have different answer depending where they are. Do you understand me ? Do you think it is a good idea ? (I am thinking of using it for my case). Best regards, Maciej On Fri, Jun 12, 2015 at 10:19 AM, Maciej Soltysiak mac...@soltysiak.com wrote: Hi, One of my users raised an issue that using.dnscrypt.pl does not resolve when dnssec-check-unsigned is turned on. I replicated the issue with most recent openwrt Chaos Calmer package: dnsmasq-full. When dnssec and trust anhcor are set and dnssec-check-unsigned is as well, dnsmasq says BOGUS DS: Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A] using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS] using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is BOGUS DS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation using.dnscrypt.pl is BOGUS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is 178.62.233.48 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A] using.dnscrypt.pl from 192.168.1.206 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A] using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS] using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS] using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is BOGUS DS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation using.dnscrypt.pl is BOGUS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is 178.62.233.48 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is BOGUS DS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation using.dnscrypt.pl is BOGUS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is 178.62.233.48 Verisign dnssec check are ok: http://dnssec-debugger.verisignlabs.com/using.dnscrypt.pl Oddly, dnscrypt.pl resolves fine. It also works fine if dnssec-check-unsigned is turned off. Not sure if rc10 fixes it, it's not in openwrt repo yet. Any ideas? Best regards, Maciej Soltysiak DNSCrypt Poland https://dnscrypt.pl -- Ce fichier signature.asc ? C'est une signature GPG. Si vous voulez savoir pourquoi j'utilise GPG et pourquoi vous le devriez aussi, vous pouvez lire mon article : http://www.22decembre.eu/2015/03/21/introduction-fr/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9
Hi, On Sun, Jun 14, 2015 at 9:06 AM, Stéphane Guedon steph...@22decembre.eu wrote: Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit : A user on my service, who has dnssec-check-unsigned enabled gets an unsigned response from a signed zone and the intended reaction of dnsmasq kicks in. Not a bug then. Is my understanding correct? As far as I understand, I have the same issue (except that dnsmasq itself is serving the non signed zone and unbound the signed) ! To solve that, I propose to make the unsigned zone on another domain or zone than the signed one. server.domain.org is signed and the public face of your server. server.intern.domain.org is unsigned. Your users can then use this address, and the dns can still have different answer depending where they are. Do you understand me ? Do you think it is a good idea ? (I am thinking of using it for my case). Yes, I understand, I think it would work and it's a clever workaround for the issue, however in my case it does not help to maintain the end goal which was to provide authenticated response to that domain so that it is always trustworthy. That actually is becoming a DNSSEC question. Is there a way to provide split-horizon answers on signed zones? Can one name have 2 different valid answers and RRSIGs? perhaps if the signature could be for a name/ttl pair, not just the name and have different ttls on those names? Dunno. Perhaps me trying to use dns records to test whether the responses are coming over dnscrypt or not is flawed in nature. Thanks anyway, Maciej ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9
On Fri, Jun 12, 2015 at 10:18 PM, Simon Kelley si...@thekelleys.org.uk wrote: On 12/06/15 12:16, Maciej Soltysiak wrote: I think I have discovered what the problem is and it's unlikely to be dnsmasq. Without doing an exhaustive analysis (I've done too many DNSSEC post-mortems recently) that seems to a reasonable explanation. Certainly, using.dnscrypt.pl validates fine here. Right, and thanks for checking. It must be the weird thing I'm doing... Simon. Maciej ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9
Hi, One of my users raised an issue that using.dnscrypt.pl does not resolve when dnssec-check-unsigned is turned on. I replicated the issue with most recent openwrt Chaos Calmer package: dnsmasq-full. When dnssec and trust anhcor are set and dnssec-check-unsigned is as well, dnsmasq says BOGUS DS: Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A] using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS] using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is BOGUS DS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation using.dnscrypt.pl is BOGUS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is 178.62.233.48 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A] using.dnscrypt.pl from 192.168.1.206 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A] using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS] using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS] using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is BOGUS DS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation using.dnscrypt.pl is BOGUS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is 178.62.233.48 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is BOGUS DS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation using.dnscrypt.pl is BOGUS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is 178.62.233.48 Verisign dnssec check are ok: http://dnssec-debugger.verisignlabs.com/using.dnscrypt.pl Oddly, dnscrypt.pl resolves fine. It also works fine if dnssec-check-unsigned is turned off. Not sure if rc10 fixes it, it's not in openwrt repo yet. Any ideas? Best regards, Maciej Soltysiak DNSCrypt Poland https://dnscrypt.pl ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9
I think I have discovered what the problem is and it's unlikely to be dnsmasq. What I do is that I have a setup which is basically a split horizon: - users who are not on the service get A record for using.dnscrypt from a DNSSEC signed zone - users who are on the service get *a different* A record for using.dnscrypt.pl from unbound, without sigs! A user on my service, who has dnssec-check-unsigned enabled gets an unsigned response from a signed zone and the intended reaction of dnsmasq kicks in. Not a bug then. Is my understanding correct? Best regards, Maciej On Fri, Jun 12, 2015 at 10:19 AM, Maciej Soltysiak mac...@soltysiak.com wrote: Hi, One of my users raised an issue that using.dnscrypt.pl does not resolve when dnssec-check-unsigned is turned on. I replicated the issue with most recent openwrt Chaos Calmer package: dnsmasq-full. When dnssec and trust anhcor are set and dnssec-check-unsigned is as well, dnsmasq says BOGUS DS: Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A] using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS] using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is BOGUS DS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation using.dnscrypt.pl is BOGUS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is 178.62.233.48 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A] using.dnscrypt.pl from 192.168.1.206 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A] using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS] using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS] using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is BOGUS DS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation using.dnscrypt.pl is BOGUS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is 178.62.233.48 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is BOGUS DS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation using.dnscrypt.pl is BOGUS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is 178.62.233.48 Verisign dnssec check are ok: http://dnssec-debugger.verisignlabs.com/using.dnscrypt.pl Oddly, dnscrypt.pl resolves fine. It also works fine if dnssec-check-unsigned is turned off. Not sure if rc10 fixes it, it's not in openwrt repo yet. Any ideas? Best regards, Maciej Soltysiak DNSCrypt Poland https://dnscrypt.pl ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9
On 12/06/15 12:16, Maciej Soltysiak wrote: I think I have discovered what the problem is and it's unlikely to be dnsmasq. What I do is that I have a setup which is basically a split horizon: - users who are not on the service get A record for using.dnscrypt from a DNSSEC signed zone - users who are on the service get *a different* A record for using.dnscrypt.pl from unbound, without sigs! A user on my service, who has dnssec-check-unsigned enabled gets an unsigned response from a signed zone and the intended reaction of dnsmasq kicks in. Not a bug then. Is my understanding correct? Without doing an exhaustive analysis (I've done too many DNSSEC post-mortems recently) that seems to a reasonable explanation. Certainly, using.dnscrypt.pl validates fine here. dnsmasq: query[A] using.dnscrypt.pl from 127.0.0.1 dnsmasq: forwarded using.dnscrypt.pl to 8.8.8.8 dnsmasq: dnssec-query[DNSKEY] dnscrypt.pl to 8.8.8.8 dnsmasq: dnssec-query[DS] dnscrypt.pl to 8.8.8.8 dnsmasq: dnssec-query[DNSKEY] pl to 8.8.8.8 dnsmasq: dnssec-query[DS] pl to 8.8.8.8 dnsmasq: dnssec-query[DNSKEY] . to 8.8.8.8 dnsmasq: reply . is DNSKEY keytag 48613 dnsmasq: reply . is DNSKEY keytag 19036 dnsmasq: reply pl is DS keytag 52250 dnsmasq: reply pl is DS keytag 52250 dnsmasq: reply pl is DNSKEY keytag 61416 dnsmasq: reply pl is DNSKEY keytag 6418 dnsmasq: reply pl is DNSKEY keytag 14899 dnsmasq: reply pl is DNSKEY keytag 52250 dnsmasq: reply dnscrypt.pl is DS keytag 65416 dnsmasq: reply dnscrypt.pl is DS keytag 65416 dnsmasq: reply dnscrypt.pl is DNSKEY keytag 65416 dnsmasq: reply dnscrypt.pl is DNSKEY keytag 3668 dnsmasq: reply dnscrypt.pl is DNSKEY keytag 43164 dnsmasq: reply dnscrypt.pl is DNSKEY keytag 64611 dnsmasq: validation result is SECURE dnsmasq: reply using.dnscrypt.pl is CNAME dnsmasq: reply not-using.dnscrypt.pl is 188.226.192.48 Cheers, Simon. Best regards, Maciej On Fri, Jun 12, 2015 at 10:19 AM, Maciej Soltysiak mac...@soltysiak.com wrote: Hi, One of my users raised an issue that using.dnscrypt.pl does not resolve when dnssec-check-unsigned is turned on. I replicated the issue with most recent openwrt Chaos Calmer package: dnsmasq-full. When dnssec and trust anhcor are set and dnssec-check-unsigned is as well, dnsmasq says BOGUS DS: Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A] using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS] using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is BOGUS DS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation using.dnscrypt.pl is BOGUS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is 178.62.233.48 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A] using.dnscrypt.pl from 192.168.1.206 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A] using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS] using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS] using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is BOGUS DS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation using.dnscrypt.pl is BOGUS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is 178.62.233.48using.dnscrypt.pl Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is BOGUS DS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation using.dnscrypt.pl is BOGUS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is 178.62.233.48 Verisign dnssec check are ok: http://dnssec-debugger.verisignlabs.com/using.dnscrypt.pl Oddly, dnscrypt.pl resolves fine. It also works fine if dnssec-check-unsigned is turned off. Not sure if rc10 fixes it, it's not in openwrt repo yet. Any ideas? Best regards, Maciej Soltysiak DNSCrypt Poland https://dnscrypt.pl ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss