DNSSEC on pfSense
-
Ok I am back from vacation. Will look into the various bugs and let you guys know when an update is committed.
-
hello wagonza! Hope your vacation was nice and groovy…
I have a little(?) proposal: Could you put the unbound-logs separate? Maybe in that section "package-logs"?
It is logging really lot and so the normal syslog is full of unbound-log-entries, which make it somewhat difficult to find special entries. Say, i have to open a console to view directly at the log. 1000 lines are not enough at the webgui... (Not a big clue, but would make that thing easier.) -
I hear you - will add this. Otherwise Im winning with all the other changes. Hopefully will commit some time tomorrow.
Off to lala land for tonight. -
Woot!
-
Guys I have committed some changes which include Unbound getting its own log file. This will require a recent snapshot (later than Thursday last week) as there were some bugs in package log handling. I have also added some extra 'statistics' options, so that it is up to the user to decide on what he/she wants to see and how often.
I can add debugging verbosity as well if you guys think that would help you?
There is one caveat currently DHCP entries end up in the hosts file and there is a daemon that handles updating /etc/hosts when ever there is a change to the dhcp leases file. This daemon will need to be updated to handle updating unbound. Currently only a re-save on Unbound will re-populate this data.
Lastly, if you make use of DHCP and you assign pfSense as your DNS server (i.e. DNS servers field is left blank) then you will need to specify the IP address of the respective DHCP interface so that existing behaviour is kept. The reason for this is that in the base of pfSense it will automatically assign the Systems: General DNS servers to the dhcp client if DNSMasq is disabled.
So just reinstall and please let me know what else is still not working.
-
There is one caveat currently DHCP entries end up in the hosts file and there is a daemon that handles updating /etc/hosts when ever there is a change to the dhcp leases file. This daemon will need to be updated to handle updating unbound. Currently only a re-save on Unbound will re-populate this data.
Hey,
great news. I will check it out, soon. What I do not get though is your post I quoted. What does that exactly have to mean? At what times do I have to press save on Unbound tab?
-
Unbound does not install:
Beginning package installation for Unbound... Downloading package configuration file... done. Saving updated package information... done. Downloading Unbound and its dependencies... Checking for package installation... unbound-1.4.7 could not download. of unbound-1.4.7 failed! Installation aborted.Removing package... Starting package deletion for unbound-1.4.7...done. Starting package deletion for expat-2.0.1_1...done. Starting package deletion for openssl-1.0.0_2...done. Removing Unbound components... Tabs items... done. Menu items... done. Services... done. Loading package instructions... Include file unbound.inc could not be found for inclusion. Deinstall commands... Not executing custom deinstall hook because an include is missing. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. Failed to install package. Installation halted. -
Did the update today and encountered this:
kernel: pid 41731 (php), uid 0: exited on signal 11 (core dumped) Dec 6 15:06:59 php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '/usr/local/etc/unbound/unbound.conf:52: error: unknown keyword '2.8' /usr/local/etc/unbound/unbound.conf:52: error: unknown keyword 'intel' /usr/local/etc/unbound/unbound.conf:52: error: stray ''' /usr/local/etc/unbound/unbound.conf:52: error: stray '"' /usr/local/etc/unbound/unbound.conf:55: error: unknown keyword '2,1' /usr/local/etc/unbound/unbound.conf:55: error: unknown keyword 'PPC' /usr/local/etc/unbound/unbound.conf:55: error: stray ''' /usr/local/etc/unbound/unbound.conf:55: error: stray '"' read /usr/local/etc/unbound/unbound.conf failed: 8 errors in configuration file [1291644419] unbound[60301:0] fatal error: Could not read config file: /usr/local/etc/unbound/unbound.conf'Obviously it doesn't work. :(
The unbound.conf is at the expected place, the errors about that offending keywords are excerped from the respective local Client-descriptions. Here are two the lines from the unbound.conf:
local-data: "tiffany.local IN A 10.112.35.2" local-data: "tiffany.local TXT 'iMac 24" 2.8 intel'"Hope that helps. Oh, shouldn't the log be separate?
-
great news. I will check it out, soon. What I do not get though is your post I quoted. What does that exactly have to mean? At what times do I have to press save on Unbound tab?
Sorry let me rephrase. If you make use of "Register DHCP leases in DNS forwarder" what actually happens is that the dhcp leases file is read whenever it gets updated with a new host or a hosts IP changes. The daemon that monitors the dhcp leases file then updates /etc/hosts so that DNSMasq will resolve these DHCP hosts by their hostname. For now this daemon will still update /etc/hosts but Unbound will not be updated as it does not use/read /etc/hosts. So what you have to do, for the interim, is save the config on Unbound - this proces will read /etc/hosts and create the relevant entries to match. If your DHCP leases data (ip to host mapping) changes often then this will become a little irritating.
I am investigating libunbound to see if I can get the same behaviour as pfSense currently has.
PS. You can look for the dhcpleases entries with the comment "# dynamic entry from dhcpd.leases" in your hosts file below the "# dhpleases automatically entered" comment.
-
Thanks for the explanation. I am using the register clients function. But I guess I won't be adding no names right now. My LAN at home won't grow ;-)
But I still can't install the package :(
-
Unbound does not install:
yeah bad timing - the package server died, not sure of the status currently. I know jim-p is working on it.
-
Did the update today and encountered this:
kernel: pid 41731 (php), uid 0: exited on signal 11 (core dumped) Dec 6 15:06:59 php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '/usr/local/etc/unbound/unbound.conf:52: error: unknown keyword '2.8' /usr/local/etc/unbound/unbound.conf:52: error: unknown keyword 'intel' /usr/local/etc/unbound/unbound.conf:52: error: stray ''' /usr/local/etc/unbound/unbound.conf:52: error: stray '"' /usr/local/etc/unbound/unbound.conf:55: error: unknown keyword '2,1' /usr/local/etc/unbound/unbound.conf:55: error: unknown keyword 'PPC' /usr/local/etc/unbound/unbound.conf:55: error: stray ''' /usr/local/etc/unbound/unbound.conf:55: error: stray '"' read /usr/local/etc/unbound/unbound.conf failed: 8 errors in configuration file [1291644419] unbound[60301:0] fatal error: Could not read config file: /usr/local/etc/unbound/unbound.conf'Obviously it doesn't work. :(
The unbound.conf is at the expected place, the errors about that offending keywords are excerped from the respective local Client-descriptions. Here are two the lines from the unbound.conf:
local-data: "tiffany.local IN A 10.112.35.2" local-data: "tiffany.local TXT 'iMac 24" 2.8 intel'"Hope that helps. Oh, shouldn't the log be separate?
Ooo not cool - will fix that.
You should have a /var/log/unbound.log (but you need to be running one of the latest snapshot)? Also in /etc/syslog.conf, you should see unbound config entry.
-
Ok @_igor_ your stuff should be working now - just reinstall the package.
@jlepthien - i have just installed unbound and its correctly downloaded everything.
-
Still having problems here. I am on NanoBSD…
Beginning package installation for Unbound... Downloading package configuration file... done. Saving updated package information... done. Downloading Unbound and its dependencies... Checking for package installation... unbound-1.4.7 (extracting) expat-2.0.1_1 (extracting) openssl-1.0.0_3 (extracting) libevent-1.3e could not download. of unbound-1.4.7 failed! Installation aborted.Removing package... Starting package deletion for unbound-1.4.7...done. Starting package deletion for expat-2.0.1_1...done. Starting package deletion for openssl-1.0.0_2...done. Removing Unbound components... Tabs items... done. Menu items... done. Services... done. Loading package instructions... Include file unbound.inc could not be found for inclusion. Deinstall commands... Not executing custom deinstall hook because an include is missing. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. Failed to install package. Installation halted. -
Ok i was testing on a full install but that shouldn't make a difference as the packages are collected from the same place.
All I can say is try again today. -
Hmmm. pfSense still can't install libevent-1.3e…
Installed it via ssh with pkg_add -r libevent and then went to the GUI to install Unbound but still nothing. Same error as before...
-
This time the installation was a big mess:
First, after installation unbound AND dnsmasq were both enabled. It would be much better to have unbound disabled after a fresh install! I was cut off the internet instantly after the installation, nor could i reach my pfsense-Web-IF again. No dns-name neither IP worked.
looking at the systemlog encountered that the same errors appeared again (description is parsed as config)
Then after that logentries the log was full of "missing unbound-control, not found"-messages.Finally i managed by deinstalling unbound manually and doing a gitsync to get back control of my pfSense.
-
Hmmm. pfSense still can't install libevent-1.3e…
Installed it via ssh with pkg_add -r libevent and then went to the GUI to install Unbound but still nothing. Same error as before...
Seems as though the package had extra make options added. I have explicitly set these now. Packages rebuilding as we speak.
-
This time the installation was a big mess:
First, after installation unbound AND dnsmasq were both enabled. It would be much better to have unbound disabled after a fresh install! I was cut off the internet instantly after the installation, nor could i reach my pfsense-Web-IF again. No dns-name neither IP worked.
looking at the systemlog encountered that the same errors appeared again (description is parsed as config)
Then after that logentries the log was full of "missing unbound-control, not found"-messages.Finally i managed by deinstalling unbound manually and doing a gitsync to get back control of my pfSense.
not cool! Ok Ermal has made a recent change which will prevent the packages from been automatically started. So this should prevent the situation where the DNS forwarder and Unbound are trying to run at the same time. Also I have added after install notes to indicate that the user needs to configure Unbound before it will be started and also needs to disable the DNS Forwarder.
Hopefully this commit should address your problem.
-
No problem. shit happens. I'll give it a new try tomorrow. Thanks for your great work!
Tried again, but now i'm having that same problem:
libevent-1.3e could not download.
Cannot install unbound.