I have 1.1.1.1 (and its backup as well as IPv6) loaded into my router. The thing is it is spewing errors:
Insecure DS reply received, do upstream DNS servers support DNSSEC?
Sometimes many times with the same timestamp. Sometimes not for a long while.
Asus RT-AC86U
Merlin 384.6
No way of really telling unless I keep going to random links and tail the syslog. I really do not have time for that.
Did some reading on the firmware makers forums. Seems cloudFlare is not using full/proper DNSSEC spec.
I wonder how long this will take to get fixed.
Just noticed https://www.aljazeera.com/ is not resolving and the router is throwing the error every time I try.
That domain doesn’t have DNSSEC enabled. It may be your ISP, can you see if it fails by setting router DNS to default or Google and setting your OS’s dns to 1.1.1.1?
@crkinard can you clarify where in that post you see a DNSSEC issue? DNSCrypt is a different technology.
What I’ve seen with these issues in the past is other DNS providers are more lax about validating the DNSSEC, allowing through sites which should rightfully be broken.
I think this might be kresd #359.
aljazeera.com. has said invalid configuration:
aljazeera.com. 300 IN CNAME 2-01-3b91-0003.cdx.cedexis.net.
2-01-3b91-0003.cdx.cedexis.net. 20 IN CNAME www.aljazeera.com.edgekey.net.
www.aljazeera.com.edgekey.net. 21600 IN CNAME e9106.dscg.akamaiedge.net.
e9106.dscg.akamaiedge.net. 20 IN A 23.210.132.235
When I Googled that DNSMasq error message, that was the only concrete explanation I found. For all I know, it could happen for lots of other reasons too.
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q3/012392.html
(Relating to a different domain and resolver.)
There’s no issue with kresd’s own, internal DNSSEC validation – as far as I know – but there are issues with its responses that can break validating clients.