On Mon, Jan 20, 2025 at 04:52:56PM +0100, Uwe Kleine-König wrote: > Hello again, > > On Mon, Jan 20, 2025 at 11:32:57AM +0100, Uwe Kleine-König wrote: > > On Sun, Jan 19, 2025 at 11:50:23PM +0000, Simon Kelley wrote: > > > If you add a DS record for > > > kleine-koenig.org to your config, it should work, assuming that > > > 192.168.128.3 is DNSSEC capable. > > > > Now I added > > > > > > trust-anchor=kleine-koenig.org,34607,13,2,FF05DA4F2E6A2692421FA7ED99DF07205A6A04ABC917F26CD7E781520A2652D1 > > > > which matches the DS record for kleine-koenig.org in both the public DNS > > and the internal view and now delv happy.kk4.kleine-koenig.org works > > (same output as above, with "unsigned answer" as expected). > > I did that on another router running an older OpenWrt (that is, it > doesn't include your recent changes) and that made DNSSEC verification > also work in that router's lan. Is that expected?
I take that back, it doesn't work. I think when I came to the conclusion that it does work, my host's resolver settings used a different nameserver than I expected. So indeed your changes in 2.91test8 are relevant for my setup. Best regards Uwe
signature.asc
Description: PGP signature
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
