Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problems with BIND plugin 9.16_17/9.17 and DNSSEC keys

    Scheduled Pinned Locked Moved
    pfSense Packages
    1
    1
    530
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dld_r00f
      last edited by

      Tested on 2.6.0-RELEASE(amd64) zfs and 2.7.0-DEVELOPMENT(amd64) zfs.

      It all started because of the transfer of configs from /cf/ to /var/etc/.
      I once wrote about this, that the keys stopped working. Then the developers added a fix that transfers keys from /cf/named/etc/namedb/keys/ to /var/etc/named/etc/namedb/keys/ (CHROOT_LOCALBASE . "/etc/namedb/keys/)
      This helped for old plugin upgrades, but worked until the first reboot.

      Further in the process of getting rid of the old paths in the code of this fix, the developers renamed the old path to the new one and it turned out to be complete nonsense where to take it there and transfer it. (this code needs to be removed since it doesn't do anything useful anyway)

      ...
define('CHROOT_LOCALBASE', '/var/etc/named');
...
/* move DNSSEC keys from old chroot,
   * see https://redmine.pfsense.org/issues/13002 */
  foreach (glob("/var/etc/named/etc/namedb/keys/K{$zonename}*key", GLOB_NOSORT) as $filename) {
		  $newkey = CHROOT_LOCALBASE . "/etc/namedb/keys/" . basename($filename);
		  if (!file_exists($newkey)) {
				  rename($filename, $newkey);
		  }
  }

      As a result, the zone settings have an optional flag for saving the key in the xml config. But on the first boot of service (pfsense boot), when the configuration for bind is created, these keys are not created from xml (each time /var/etc/ is cleared). And bind starts with unsigned entries (no RRSIG entries).

      Reboot through services does not help. Only the save button in the bind settings helps, then it starts resync and detaches the keys from xml and starts already normally with DNSSEC working.

      If the "Backup Keys" checkbox was not set, then bind needs to manually copy the keys to /var/etc/named/etc/namedb/keys/ and restart in any way.

      I temporarily added shellcmd, and I store the keys in /root/keys:

      mkdir -p -m 0755 /var/etc/named/etc/namedb/keys && cp /root/keys/* /var/etc/named/etc/namedb/keys/ && chown -R bind /var/etc/named/etc/namedb

      As a quick fix, when you first run bind, you need to run a full resync and save the keys from the xml config, and make saving the keys in the xml mandatory (so that it cannot be turned off).

      If the checkbox is left optional, then you need to give the option to specify the directory where the keys are taken from and copy them to /var/etc/named/etc/namedb/keys/ or tell to bind where the keys are.

      ps: short instruction to reproduce the error:

      • create a test zone with an A record
      • enable "Inline Signing"
      • enable "Backup Keys"

      (it will create the keys itself and add them to the xml)

      • look at the record
        dig @127.0.0.1 xxx.yyy +dnssec +short
      • reboot
      • look at this entry again
        dig @127.0.0.1 xxx.yyy +dnssec +short
      1 Reply Last reply Reply Quote 0
      • A allxi referenced this topic on
      • First post
        Last post