DNSSEC on pfSense
-
I would like an authoritative primary server which can do the 'accept registrations for dhcp clients' juju and serve up zone updates to a secondary elsewhere on my LAN.
-
With both ways I see nothing. On console output it says off (using root hints).
I also tried mounting rw before but that doesn't change anything.Hmm try this from the cmd line unbound-control forward 208.67.222.222 208.67.220.220
Let me know what that returns. unbound-control forward should then list these 2 IP addresses as forwarders as your access control should work.
If that all works then I think I know what the problem is.
-
Hmm try this from the cmd line unbound-control forward 208.67.222.222 208.67.220.220
Let me know what that returns. unbound-control forward should then list these 2 IP addresses as forwarders as your access control should work.
If that all works then I think I know what the problem is.
Hey m8. That works! So is it just the GUI that has got problems? Will this stay after a reboot? Or do I need to edit the unbound.conf by hand? But now I DNSSEC does not seem to be working. The http://test.dnssec-or-not.org/ url does not even open…
Also http://www.dnssec-tools.org/testzone/ does not open? Does it open for you?
-
Hey m8. That works! So is it just the GUI that has got problems? Will this stay after a reboot? Or do I need to edit the unbound.conf by hand?
Nah it wont stick after a reboot. Basically the GUI just executes what you typed by hand. There is no config option to specify them.
Ok i pushed a fix - give it a go and let me know how it goes. -
In that case I think it's one or another. Not really sure to be honest with you. Try enabling the option and test it using the test dnssec page and let us know if it works.
On the other side of the coin, I am not sure if OpenDNS supports DNSSEC? I thought they adopted DNSCurve.
As I've written now, it doesn't work. Well and you are right, OpenDNS adopted DNSCurve….
Nah it wont stick after a reboot. Basically the GUI just executes what you typed by hand. There is no config option to specify them.
Ok i pushed a fix - give it a go and let me know how it goes.Will do when the update shows up…
-
In that case I think it's one or another. Not really sure to be honest with you. Try enabling the option and test it using the test dnssec page and let us know if it works.
On the other side of the coin, I am not sure if OpenDNS supports DNSSEC? I thought they adopted DNSCurve.
As I've written now, it doesn't work. Well and you are right, OpenDNS adopted DNSCurve….
Which I am sure they will regret one day…
Will do when the update shows up…
I upped the version number and hopefully also fixed the file system errors.
-
I think my solution is to install and configure tiny-dns, as it looks like it will do everything I want. Sorry for hijacking this thread - I will drop out now :)
EDIT: I think I'm just out of luck. Found a thread from last year where some other soul was trying to get zone transfers to work with tinydns and the last post indicated failure. Sigh…
-
What I am doing for now: adding 2-3 entries in /etc/hosts on a couple of the servers that need to be able to talk to other servers, even if pfsense is offline. I do want to try replacing dnsmasq with unbound and see how it works…
-
EDIT: I think I'm just out of luck. Found a thread from last year where some other soul was trying to get zone transfers to work with tinydns and the last post indicated failure. Sigh…
Give me a few weeks, I have a need to implement NSD(http://www.nlnetlabs.nl/projects/nsd/) instead of using TinyDNS. This should hopefully help you.
-
Hey m8. That works! So is it just the GUI that has got problems? Will this stay after a reboot? Or do I need to edit the unbound.conf by hand? But now I DNSSEC does not seem to be working. The http://test.dnssec-or-not.org/ url does not even open…
Also http://www.dnssec-tools.org/testzone/ does not open? Does it open for you?
Yeah I believe Unbound can't validate the answers from OpenDNS because they don't support DNSSec, hence why you get an invalid reply.
-
Thanks for the hard work. I will stay tuned :)
-
I upped the version number and hopefully also fixed the file system errors.
Does not work here. When enabling the forward mode the servers do not get written and unbound-config forward still says 'off'. Since OpenDNS is not supporting DNSSEC anyway I might as well stick to dnsmasq or disable DNSSEC…
-
I think you know it, but here for future? reference…
http://www.ripe.net/ripe/meetings/ripe-47/presentations/ripe47-dn-dnssec-nsd.pdf
Sounds interesting... -
Does not work here. When enabling the forward mode the servers do not get written and unbound-config forward still says 'off'. Since OpenDNS is not supporting DNSSEC anyway I might as well stick to dnsmasq or disable DNSSEC…
Just do a grep reload /usr/local/pkg/unbound.inc - that should return zero results. If it does then you will need to uninstall the package and then re-install.
Otherwise yeah disable DNSSec or stick to DNSMasq for now :$ OpenDNS do say they will eventually support DNSSec if gains more traction…
-
I think you know it, but here for future? reference…
http://www.ripe.net/ripe/meetings/ripe-47/presentations/ripe47-dn-dnssec-nsd.pdf
Sounds interesting...thanks - will check this out.
-
On the latest snapshot of today i386 still getting:
Dec 30 23:36:31 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1293752191] unbound[53513:0] error: bind: address already in use [1293752191] unbound[53513:0] fatal error: could not open ports'
??? -
On the latest snapshot of today i386 still getting:
Dec 30 23:36:31 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1293752191] unbound[53513:0] error: bind: address already in use [1293752191] unbound[53513:0] fatal error: could not open ports'
???Is this still a problem? I can only assume DNSMasq was re-enabled.
I have been away for the last week - hence the late reply.
-
On latest snapshot of today 4 January same old:
Jan 4 21:06:41 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1294175201] unbound[48254:0] error: bind: address already in use [1294175201] unbound[48254:0] fatal error: could not open ports'
On the latest snapshot of today i386 still getting:
Dec 30 23:36:31 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1293752191] unbound[53513:0] error: bind: address already in use [1293752191] unbound[53513:0] fatal error: could not open ports'
???Is this still a problem? I can only assume DNSMasq was re-enabled.
I have been away for the last week - hence the late reply.
-
It appears we are close to a RC1 candidate with so many things broken?
One of the developers tweeted:
"DNSSEC is right now the top, by far the top distributed denial of service amplifier on the internet"
Could this be why no one seems to care about the Unbound package?
-
I would be interested in infos about it. Searching the net i only get - nothing! So no explanation nor other info. Sounds a bit like "Windows is the most secure software known".