• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Harden DNSSEC Data input error

Scheduled Pinned Locked Moved DHCP and DNS
4 Posts 3 Posters 197 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Q
    Qinn
    last edited by Dec 31, 2024, 10:31 AM

    Maybe something to consider to be build in pfSense?

    When you try to enable "Harden DNSSEC Data"in the Advanced Settings of the DNS Resolver it checks whether DNSSEC Support is enabled, if not error message appears when you try to save this setting.
    pfSense-localdomain-Services-DNS-Resolver-Advanced-Settings.png

    But there is no reverse compatible check. Let me explain:

    When you have DNS support enabled and also enabled "Harden DNSSEC Data" in Advanced Settings and for some reason later on decide to disable DNS support there is no error report, so you could leave something checked that cannot work.

    Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
    Firmware: Latest-stable-pfSense CE (amd64)
    Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

    J G 2 Replies Last reply Dec 31, 2024, 1:01 PM Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator @Qinn
      last edited by johnpoz Dec 31, 2024, 1:08 PM Dec 31, 2024, 1:01 PM

      @Qinn huh? If you disable dnssec - then harden being check not going to do anything anyway. But if you want to use harden setting, then yeah dnssec has to be enabled to enable that.

      What is harden dnssec going to do if dnssec isn't enabled - that is all that is telling you.

      Its dnssec part of resolving - not dns.. if you disabled the resolver completely - again none of its settings matter.

      Like trying to turn on a light in the house that doesn't have the main breaker turned on.. If you turn on the kitchen light when you do have the main breaker on.. But then later turn off the main breaker - doesn't matter if the kitchen light switch is on.

      Lets call the resolver being enabled the main breaker, while dnssec is the kitchen breaker - kind of hard to turn on the kitchen light switch for the light above the sink, if the kitchen breaker is off.

      But if you turn off either the kitchen breaker or the main breaker - doesn't matter if the light switch is on for the light above the sink.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 1
      • G
        Gertjan @Qinn
        last edited by Gertjan Dec 31, 2024, 1:25 PM Dec 31, 2024, 1:23 PM

        @Qinn

        Yep, These two DNSSEC options, one on the main page, and the other on the advanced page, make things confusing.
        But, if DNNSEC is disabled on the first page, the setting on the second page is a 'don't care', so unbound will be happy. True, if the admin unchecked DNNSEC the first page, but forgot about it on the second page (leaving it checked) later ion, he will get a reminder. Free !

        I guess, validating settings on one page should not auto 'touch' (or modify) settings on another page, for 'some "don't open the can of worms" reason'.

        Btw : DNSSEC is a free extra security. Who would refuse that ? Netgate, as they are network (DNS) experts (I guess - who are we to disagree), have it enabled by default 😊

        edit ... stupid me, I forgot again that flat earthers, DNS forwarders etc really exist.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 1
        • Q
          Qinn
          last edited by Dec 31, 2024, 2:05 PM

          Thanx guys, for your reply

          @johnpoz I can follow the logic, as you explained it, using the main breaker example.

          Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
          Firmware: Latest-stable-pfSense CE (amd64)
          Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received