DDNS does not work with DNSSEC

nslookup works fine from my computer but not on TO:

nslookup sync.afraid.org

nslookup: can’t resolve ‘(null)’: Name does not resolve

nslookup: can’t resolve ‘sync.afraid.org’: Try again

I have been experimenting with different settings with dns forwarding or without forwarding, but no success.
The only was I could make this work was, when I disabled DNSSEC

Is there any other way to make this work? I wouldn’t want to disable a security feature if it is possible.

I’m unable to reproduce that with this particular domain – it appears correctly insecured below afraid.org. (I can’t look deeper soon.)


I do not have have DNSSEC disabled, and it works for me:

root@router:~# nslookup sync.afraid.org
nslookup: can't resolve '(null)': Name does not resolve

Name:      sync.afraid.org
Address 1: ns1.afraid.org
root@-router:~# nslookup sync.afraid.org
Address 1: google-public-dns-a.google.com

Name:      sync.afraid.org
Address 1: ns1.afraid.org

You say DDNS doesn’t work, or do you mean DNS doesn’t work?

If you mean DDNS, then you can configure an alternative DNS server to be testing for you DDNS hostname’s current IP address. The parameter is called dns_server. For example:

root@sr-router:~# uci show | grep ddns

I think the nameserver for afraid.org is ns1.afraid.org, if so, then you could test via: nslookup sync.afraid.org ns1.afraid.org and see where that takes you.

I feel that it is better to use your DDNS providers’ nameserver because that is the nearest to the reality (assume the caches have steeled).

nslookup from busybox is broken (known for almost a decade). It doesn’t use the second parameter and always asks the default resolver (silently).


tx for the answers. DDNS is not working in luci and when I check the logs, I can see this:
232849 : nslookup: can’t resolve ‘(null)’: Name does not resolve
So basically I see the same thing. DDNS does not work because nslookup does not work, cannot resolve the needed hostnames with DNSSEC for some reason.

I do not have this parameter in my list. Btw can you tell me how to configure an alternative DNS servers for the router? I see you are using google DNS servers, I tried to switch to it as well, editing /etc/config/network. However I have now this in my /tmp/resolv.conf.auto:

Interface wwanfree


Is there anyway to config this in Luci as well? Or what is the best way to do it?
As you can see for some reason the old dns servers are still there for some reason in the last 2 lines.
The first 2 are google dns, but I still cannot resolve the sync.afraid.org.

Also can you send me your config /etc/config/network?

do you know why is there this bug for a decade? will it be fixed? or is there any special reason that it has not yet been fixed?
How can I check which dns server is really being used by nslookup?

Is there any way to disable DNSSEC only for certain selected (listed) hostnames?

  • I didn’t much look into why the bug was introduced. Anyway, I just read a few reports about it after stumbling upon the bug; nothing more. From the description the implementation is making some assumptions about libc that don’t always hold, and apparently noone has had enough motivation to fix it properly (the usual “reason”).
  • I’m not sure of a nice way on Omnia (I didn’t really try to find out). Perhaps capture packets and inspect them.
  • You can add kresd config and specify explicitly insecure subtrees via
    trust_anchors.negative = { 'dnssec-failed.org' }


thanks it is useful, I tried it but unfortunately it still cannot resolve it. I have added this line:

$ cat /etc/kresd/custom.conf
trust_anchors.negative = { ‘sync.afraid.org’ }

and modified kres section of /etc/config/resolver:
config resolver 'kresd’
option rundir '/tmp/kresd’
option log_stderr '0’
option log_stdout '0’
option forks '1’
option include_config ‘/etc/kresd/custom.conf’

$ nslookup sync.afraid.org
nslookup: can’t resolve ‘(null)’: Name does not resolve

nslookup: can’t resolve ‘sync.afraid.org’: Try again

What could be wrong?

This doesn’t necessarily mean there’s a problem - it could well be ‘normal’ and there is no reason why ddns wouldn’t work even with this error.

This is a problem. You could do the following & try again (you would best reboot the router after):

root@router:~# opkg update; opkg install knot-host

This allows ddns-scripts (which is a very well-maintained piece of shell script written specifically for OpenWrt & thus for TO) to use khost for name resolution. I am not sure if dig is installed by default on TO, but you can get ddns to use that as well. So try khost sync.afraid.org and dig sync.afraid.org before you go any further (AFAIK they both use an internal resolver).

I do remember setting up afraid.org was a bit difficult (I use a different domain now) - I think I had to go via dnsomatic.com in the end - have you tried that? At least it will tell you if you ddns client is working.

Before that, try this from TOs CLI (NB: namecheap is my chosen name, yours will be called something else (try uci show ddns | grep service):

root@router:~# /etc/init.d/ddns stop
root@router:~# /usr/lib/ddns/dynamic_dns_updater.sh namecheap 3

and you could post the result here for us to check for you. You could even try this:

root@router:~# /usr/lib/ddns/dynamic_dns_updater.sh namecheap 3 | grep -i detected
root@router:~# /etc/init.d/ddns restart

If things look good with 3 (which does everything but send an update), then try 2, which also sends an update).


thanks for suggestions. Here are my resultls:
I have tried: “opkg update; opkg install knot-host”, but first it didn’t help.
Yes, dig is installed in my router by default. Neither dig, nor nslookup nor khost helped first:

dig sync.afraid.org

 <<>> DiG 9.11.2-P1 <<>> sync.afraid.org
global options: +cmd
 connection timed out; no servers could be reached

    khost sync.afraid.org

 WARNING: response timeout for

 WARNING: response timeout for
 WARNING: failed to query server
 WARNING: response timeout for

uci show ddns | grep service


/etc/init.d/ddns stop
usr/lib/ddns/dynamic_dns_updater.sh freedns 3

161313 : ************ ************** ************** **************
161313 note : PID ‘25125’ started at 2018-03-15 16:13
161313 : ddns version : 2.6.4-1
161313 : uci configuration:
161313 WARN : Service section ‘freedns’ not defined - TERMINATE
161313 WARN : PID ‘25125’ exit WITH ERROR ‘1’ at 2018-03-15 16:13

And then some MAGIC started to happen, it started to work, but I do not understand exactly why:

    khost sync.afraid.org

sync.afraid.org. is an alias for freedns.afraid.org.
freedns.afraid.org. has IPv4 address

dig sync.afraid.org

 <<>> DiG 9.11.2-P1 <<>> sync.afraid.org
 global options: +cmd
 Got answer:
 ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47363
 flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

 EDNS: version: 0, flags:; udp: 4096
sync.afraid.org. IN A

sync.afraid.org. 300 IN CNAME freedns.afraid.org.
freedns.afraid.org. 60 IN A

 Query time: 186 msec
 WHEN: Thu Mar 15 16:25:59 CET 2018
;MSG SIZE rcvd: 82

nslookup sync.afraid.org

nslookup: can’t resolve ‘(null)’: Name does not resolve

Name: sync.afraid.org
Address 1: ns1.afraid.org

Please note my previous post. I have DNSSEC disabled for sync.afraid.org, but this config didn’t work so far for some reason. Your tip made it work though, I don’t know why or how. All we did was actually restarting ddns service. But it should have been restarted by router restart anyway. And it is restarted every day for me. But it only started to work now. I made some more testing and it is now working as expected. If i comment out my config in /etc/kresd/custom.conf and restart kresd, nslookup/dig/khost still wont work. If i enable it (means disable DNSSEC), then it works.

After all that, I am not sure if you’ve got it working, or not. Ha!

If required, here’s a work-around: use dnsomatic.com. The TO’s DDNS client talks to dnsomatic (so your router doesn’t need to resolve sync.afraid.org) & dnsomatic’s talks to afraid.org’s name servers.

When you ran this command, it said you’ve 3 ddns services configured: myddns_ipv4, myddns_ipv6, dnet_ipv4 and test. (I note freedns is not one of these).

When you ran this command, it said “Service section ‘freedns’ not defined”, which is correct.

as mentioned it is only working with DNSSEC disabled but for security I only disabled it specifiacally for sync.afraid.org. With DNSSEC enabled, it does not work. As I remember you told in your first post, it is working for you even with DNSSEC.

Before using dnsomatic, I checked if it would work, but it would be the same issue with it:

nslookup dnsomatic.com

nslookup: can’t resolve ‘(null)’: Name does not resolve

nslookup: can’t resolve ‘dnsomatic.com’: Try again