hanvinke

The strange thing is that edns-packet-max setting defaults to 4096 in dnsmasq since long. But applying --edns-packet-max=4096 in the configuration of dnsmasq apparently has no effect. I can still see...

Did not see a change in the syslog when enabling dnssec in Stubby. According to RFC6891 6.2.5. Payload Size Selection : .. _A requestor SHOULD choose to use a fallback...

Strange behaviour indeed. How exactly does it fall over? Just AD-bit not showing in the response? Does the same thing also happen when you use 'dnssectest.sidn.nl' instead of 'google.com' ?...

I have also tried this on my openWRT device. It seems that there is always an answer either very slow or with a time-out. But I do have the AD-flag...

@uzlonewolf could you please try 'Zero configuration DNSSEC' with Stubby by disabling 'dnssec_trust_anchors', the 3 files (root-anchors.p7s ,root-anchors.xml and root.key) should appear in your appdata_dir. Recently I had some troubles...

With DiG 9.18.10 there seem to be improvements in speed and handling. I get a much quicker response from dnssectest.sidn.nl and no time-outs so far. [dnssectest1.txt](https://github.com/getdnsapi/stubby/files/10328968/dnssectest1.txt) // edit: still have...

The solution is very simple. For Windows to get dnssec working with Stubby you need to install Unbound.

Well, I had the same problem on Windows. Only Opportunistic mode worked out-of-the-box, but Strict Mode failed. After installing Unbound that problem was solved. Sorry, I am not an expert...

No sorry, I was sleeping already yesterday. Unbound has nothing to do with it. The problem is in the default stubby.yml file. On line 134 it should read: "dnssec_return_status: GETDNS_EXTENSION_TRUE"....

I manually added the root cert earlier with unbound-anchor. It seemed to work. When I changed the location of trust-anchor file however, I noticed spaces and capital letters are a...