23.01 Upgrade unbound Issue

techman2005 · Feb 18, 2023, 11:23 PM

I upgraded my pfsense to 23.01 and after a few hours DNS resolving to public sites stops working. I have the below set and public dns is set to 9.9.9.9. This setup has worked for a long time on the previous version. The error I get is Unbound: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN. Restarting unbound fixes the problem temporarily, also unchecking "enable forwarding mode" which I want checked and enabled.

login-to-view

stephenw10 · Feb 20, 2023, 12:42 AM

There's really no point having DNSSec enabled in forwarding mode. You're already trusting the upstream servers. Does disabling that change anything?

Steve

techman2005 · Feb 20, 2023, 2:13 AM

Thanks for the information, I found this article on quad 9's site and followed those instructions now everything works great.

https://support.quad9.net/hc/en-us/articles/4433380601229-Setup-pfSense-and-DNS-over-TLS

moelassus · Feb 20, 2023, 10:27 PM

@techman2005 That Quad9 "guide" shows enabling both the Forwarder service as well as the Resolver with Forwarding enabled.

I always thought you should use one or the other. Is there a reason to use both?

stephenw10 · Feb 20, 2023, 10:51 PM

It's possible to use both if you see one to use a different port. It would be unusual.

But, for example, if you are redirecting all DNS queries from IOT devices to pfSense you could use a different port for that. And then forward those requests differently.

SteveITS · Feb 20, 2023, 11:56 PM

@moelassus said in 23.01 Upgrade unbound Issue:

@techman2005 That Quad9 "guide" shows enabling both the Forwarder service as well as the Resolver with Forwarding enabled.

No it doesn’t:
“Navigate to Services -> DNS Forwarder on the top menu. Make sure Enable DNS forwarder is disabled. If it is enabled, disable it, and click Save ” ;)

techman2005 · Feb 20, 2023, 11:22 PM

my config looks like this now and everything is working great. I verified everything is working correctly by looking at states.

login-to-view

Cylosoft · Feb 20, 2023, 11:25 PM

@stephenw10 Disabling DNSSec got things back on track for v23 on my systems also. v22 worked fine with that checked.

SteveITS · Feb 20, 2023, 11:36 PM

@cylosoft said in 23.01 Upgrade unbound Issue:

@stephenw10 Disabling DNSSec got things back on track for v23 on my systems also. v22 worked fine with that checked.

That’s been my experience also. Earlier, I checked our outside router which the whole building goes through and it had DNSSEC enabled. That’s on 22.05 I believe (am not where I can double check now), upgraded over many, many versions.

Do you have particular domains that failed? For me it was LinkedIn.com forwarding to Quad9. I didn’t do a lot of testing but it was I think my first access, an hour or so after installing 23.01.

I suppose it’s possible the newer unbound version does something different. (Not to say it’s a bug, per se, but the perception is working->not working)

Cylosoft · Feb 20, 2023, 11:36 PM

@steveits The reports I was getting were all Cloudflare hosted DNS. But I'm not sure that means anything since that's a huge chunk of the internet.

stephenw10 · Feb 20, 2023, 11:38 PM

Mmm, it's odd because if it's enabled and fails then whatever you're forwarding to doesn't support it. So I would expect it to be an all or nothing situatiuon.
I wonder if it was previously disabled automatically in the old Unbound version.

Cylosoft · Feb 20, 2023, 11:41 PM

@stephenw10 Quad9's setup article said "DNSSEC is already enforced by Quad9, and enabling DNSSEC at the forwarder level can cause false DNSSEC failures." I took that to mean the random failures I was seeing. But I don't know. Maybe the random failures will come back.

SteveITS · Feb 20, 2023, 11:44 PM

@cylosoft said in 23.01 Upgrade unbound Issue:

Maybe the random failures will come back.

Quiet, you!

techman2005 · Feb 20, 2023, 11:53 PM

login-to-view

SteveITS · Feb 21, 2023, 1:02 AM

@stephenw10 I thought I'd try to replicate it with linkedin.com just now and couldn't, at least by turning enabling DNSSEC and immediately (without waiting an hour or two) running nslookup. It was failing the other day because I was testing and resolved it.

Of course disabling DNSSEC also restarts unbound so now there's a question of what the problem actually is...does it show up after time? On certain queries? When the domain's NS has something misconfigured?

If it is a bug, then it occurs to me there's a question on the correct solution:

A) resolve the bug
B) automatically disable/hide DNSSEC when forwarding is enabled

Option B sounds like it is "more correct"...and maybe something that should be done regardless of any bug/not bug.

johnpoz · Feb 21, 2023, 1:08 AM

@steveits said in 23.01 Upgrade unbound Issue:

does it show up after time?

Most likely this - if your asking for dnssec when where you forward to is already doing dnssec.. And you get something returned via cache - because your forwarding, etc. As quad9 step 3 says about turning it off "can cause false dnssec failures" if dnssec fails then what your looking for would fail, etc.

If your forwarding, clearly you trust where your forwarding too. They are already doing dnssec as a resolver, which is where it is meant to be done, etc. I see no point in setting your unbound to try and do dnssec as well.. Its going to be flawed when your not resolving. At best its causing extra queries, at worse stuff is going to fail to resolve. There is no reason to do it.

edit: btw I have been saying to turn off dnssec if your forwarding for YEARS... here is a post from 2016, where I state to turn it off if your forwarding ;)

https://forum.netgate.com/post/627755

Might be posts from before that, prob all the way back to when unbound was just a package in pfsense and not built in.. dnssec has no use in forwarding mode..

SteveITS · Feb 21, 2023, 1:17 AM

@johnpoz said in 23.01 Upgrade unbound Issue:

I see no point in setting your unbound to try and do dnssec as well

Oh I'm not debating whether it should be off. :) I'm suggesting that since it should be off, when forwarding is enabled, then pfSense should turn it off. IOW, avoid foot-shootery.

I've seen maybe 10ish people complaining about DNS problems after installing 23.01 and it seems like it's DNSSEC and forwarding.

johnpoz · Feb 21, 2023, 1:26 AM

@steveits we are on the same page, and I understood your suggesting it should be off if you enable forwarding.. Completely agree with you.. Maybe we crossed some wires or something.. We are in lock step here - if the user clicks forwarding mode, the checkbox for dnssec should be unchecked and grayed out to be honest.

But that would draw complaints most likely as well ;) Maybe pop up another check box that says, by clicking this I understand what I am doing and want to do forwarding with dnssec.. I will not post any questions or threads about dns issues if I have this checked ;)

SteveITS · Feb 21, 2023, 3:42 PM

@johnpoz @stephenw10 I made a Redmine feature request.

I can't easily generate a default config file right now (wife is on a conference call ) but is DNSSEC enabled by default? I am pretty sure it is not, but it still seems safer to turn it off when forwarding is enabled.

jimp · Feb 21, 2023, 4:00 PM

The default configuration has Forwarding off and DNSSEC on. Someone enabling forwarding should probably disable DNSSEC manually but that isn't rejected by validation or changed automatically.