DNSSEC on pfSense
-
Unbound does not install:
yeah bad timing - the package server died, not sure of the status currently. I know jim-p is working on it.
-
Did the update today and encountered this:
kernel: pid 41731 (php), uid 0: exited on signal 11 (core dumped) Dec 6 15:06:59 php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '/usr/local/etc/unbound/unbound.conf:52: error: unknown keyword '2.8' /usr/local/etc/unbound/unbound.conf:52: error: unknown keyword 'intel' /usr/local/etc/unbound/unbound.conf:52: error: stray ''' /usr/local/etc/unbound/unbound.conf:52: error: stray '"' /usr/local/etc/unbound/unbound.conf:55: error: unknown keyword '2,1' /usr/local/etc/unbound/unbound.conf:55: error: unknown keyword 'PPC' /usr/local/etc/unbound/unbound.conf:55: error: stray ''' /usr/local/etc/unbound/unbound.conf:55: error: stray '"' read /usr/local/etc/unbound/unbound.conf failed: 8 errors in configuration file [1291644419] unbound[60301:0] fatal error: Could not read config file: /usr/local/etc/unbound/unbound.conf'Obviously it doesn't work. :(
The unbound.conf is at the expected place, the errors about that offending keywords are excerped from the respective local Client-descriptions. Here are two the lines from the unbound.conf:
local-data: "tiffany.local IN A 10.112.35.2" local-data: "tiffany.local TXT 'iMac 24" 2.8 intel'"Hope that helps. Oh, shouldn't the log be separate?
Ooo not cool - will fix that.
You should have a /var/log/unbound.log (but you need to be running one of the latest snapshot)? Also in /etc/syslog.conf, you should see unbound config entry.
-
Ok @_igor_ your stuff should be working now - just reinstall the package.
@jlepthien - i have just installed unbound and its correctly downloaded everything.
-
Still having problems here. I am on NanoBSD…
Beginning package installation for Unbound... Downloading package configuration file... done. Saving updated package information... done. Downloading Unbound and its dependencies... Checking for package installation... unbound-1.4.7 (extracting) expat-2.0.1_1 (extracting) openssl-1.0.0_3 (extracting) libevent-1.3e could not download. of unbound-1.4.7 failed! Installation aborted.Removing package... Starting package deletion for unbound-1.4.7...done. Starting package deletion for expat-2.0.1_1...done. Starting package deletion for openssl-1.0.0_2...done. Removing Unbound components... Tabs items... done. Menu items... done. Services... done. Loading package instructions... Include file unbound.inc could not be found for inclusion. Deinstall commands... Not executing custom deinstall hook because an include is missing. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. Failed to install package. Installation halted. -
Ok i was testing on a full install but that shouldn't make a difference as the packages are collected from the same place.
All I can say is try again today. -
Hmmm. pfSense still can't install libevent-1.3e…
Installed it via ssh with pkg_add -r libevent and then went to the GUI to install Unbound but still nothing. Same error as before...
-
This time the installation was a big mess:
First, after installation unbound AND dnsmasq were both enabled. It would be much better to have unbound disabled after a fresh install! I was cut off the internet instantly after the installation, nor could i reach my pfsense-Web-IF again. No dns-name neither IP worked.
looking at the systemlog encountered that the same errors appeared again (description is parsed as config)
Then after that logentries the log was full of "missing unbound-control, not found"-messages.Finally i managed by deinstalling unbound manually and doing a gitsync to get back control of my pfSense.
-
Hmmm. pfSense still can't install libevent-1.3e…
Installed it via ssh with pkg_add -r libevent and then went to the GUI to install Unbound but still nothing. Same error as before...
Seems as though the package had extra make options added. I have explicitly set these now. Packages rebuilding as we speak.
-
This time the installation was a big mess:
First, after installation unbound AND dnsmasq were both enabled. It would be much better to have unbound disabled after a fresh install! I was cut off the internet instantly after the installation, nor could i reach my pfsense-Web-IF again. No dns-name neither IP worked.
looking at the systemlog encountered that the same errors appeared again (description is parsed as config)
Then after that logentries the log was full of "missing unbound-control, not found"-messages.Finally i managed by deinstalling unbound manually and doing a gitsync to get back control of my pfSense.
not cool! Ok Ermal has made a recent change which will prevent the packages from been automatically started. So this should prevent the situation where the DNS forwarder and Unbound are trying to run at the same time. Also I have added after install notes to indicate that the user needs to configure Unbound before it will be started and also needs to disable the DNS Forwarder.
Hopefully this commit should address your problem.
-
No problem. shit happens. I'll give it a new try tomorrow. Thanks for your great work!
Tried again, but now i'm having that same problem:
libevent-1.3e could not download.
Cannot install unbound. -
Yeah. Still having the libevent problem, too…
-
I was looking at the freebsd-ftp and the only libevent is libevent.tgz, which is libevent-1.4.13.tbz.
I installed it manually, but didn't help. -
today i install unbound package …
still libevent-1.3e could not download.here full message on package install :
Beginning package installation for Unbound...
Downloading package configuration file... done.
Saving updated package information... done.
Downloading Unbound and its dependencies...
Checking for package installation...
unbound-1.4.7 (extracting)
expat-2.0.1_1 (extracting)
openssl-1.0.0_3 already installed.
libevent-1.3e could not download.
of unbound-1.4.7 failed!Installation aborted.Removing package...
Starting package deletion for unbound-1.4.7...done.
Starting package deletion for expat-2.0.1_1...done.
Skipping package deletion for openssl-1.0.0_2 because it is required by other packages.
Starting package deletion for libevent-1.4.14b_1...done.
Removing Unbound components...
Tabs items... done.
Menu items... done.
Services... done.
Loading package instructions...
Include file unbound.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Failed to install package.Installation halted.
meanwhile, stick to dnsmasq
i really appreciate for provide this package -
Can you try one more time (I just uploaded a freshly recompiled set of packages) and if that fails, try to do this:
pkg_delete -f openssl-1.0.0_2And then try to reinstall Unbound (Or maybe hit the 'x' to delete it and then re-add it from the list)
-
Great! Installation works! I'm so excited!!! Thanx a lot!!
edit: second note) unbound works great! ping of hosts inside my LAN works. Name resolution is somewhat slower than before, but thats no problem…
last edit: Borat smiles into my face...
:-)
-
Thanks jimp! Now the install works and also a DNSSEC Test works. But I cannot ping hosts by name on my LAN. Everything works great from the pfSense box itself (eg. ping by name to every host), but not from my LAN hosts. I am only able to ping pfSense.domain.lan but no other hosts from my iMac on LAN.
I also clicked save on the Unbound tab more than once…
-
Ok. I can see in the unbound.conf that my hosts do not get written into it. Also I want Unbound to listen on three interfaces but it only listens on my main LAN. So WLAN cannot be used at the moment…
Any ideas? I really have checked all three interfaces on the Unbound tab...
-
Ok I gather nothing has changed in your config that you sent me originally, so let me check and I'll come back to you tomorrow.
-
Great! Installation works! I'm so excited!!! Thanx a lot!!
edit: second note) unbound works great! ping of hosts inside my LAN works. Name resolution is somewhat slower than before, but thats no problem…
Are you using forwarders or letting Unbound do all the name resolution? Also, is it slow just the 1st time or all the time?
-
Ok I gather nothing has changed in your config that you sent me originally, so let me check and I'll come back to you tomorrow.
Yeah, nothing changed in my config. How should I actually use these static dns mappings? Before it was done by dnsmasq and now with Unbound it says that I shouldn't activate the forwarder when using DNSSEC. So how should I configure this?
