Periodic since 2.2 pages load blank, certs invalid
-
@Wouter:
Why was harden-glue turned off?
Indeed, this is a good question, keeping in mind that unbound is enabled by default in all new 2.2 installations, I wonder how many unsuspecting people are being affected by this.
I feel that it warrants an official announcement by pfSense team with specific suggestions on how to remedy the issue… -
I'd say applying that patch AND enabling harden glue by default would probably be the safest option considering the havoc this was able to cause.
In the mean time, even with harden glue on, I'm going to keep my 0.0.0.0 overrides ;)
-
Suggestion for pfSense 2.2.1 : apply this patch to unbound and/or activate the harden-options by default. I'll check later if there is anything in redmine about this issue or will create a new one accordingly.
Voilà : https://redmine.pfsense.org/issues/4402
-
harden-glue is already on by default in RELENG_2_2:
https://redmine.pfsense.org/projects/pfsense/repository/revisions/ef120e878558f84ed14369a484c0938ccd1b6db5
(The iter_scrub.c patch still useful though…)
-
I just started getting this problem today for the first time since I installed the 2.2-RELEASE.
I was also using the 8.8.8.8 and 8.8.4.4 DNS from Google. I've changed to using OpenDNS now which seems to have stopped the problem?
The thread is really long I read the first few pages, should I activate the Harden Glue feature? - Just a worried noobie.
-
Harden Glue - yes, that definitely should be enabled. Otherwise, OpenDNS does not support DNSSEC at all, so all those other DNSSEC-related hardening features are kinda useless till you switch back to Google, or just disable the forwarding altogether.
-
Ok so I've turned Hardened Glue on, what else should I enable?
-
@cmb:
Have you tried checking:
Harden Glue
Harden DNSSEC data
These two in particular, if you don't have them enabled, enable them. I changed things to enable both those by default, and we'll add config upgrade code to turn those on for anyone who doesn't have them enabled upon upgrade to 2.2.1.
-
@cmb:
Have you tried checking:
Harden Glue
Harden DNSSEC data
These two in particular, if you don't have them enabled, enable them. I changed things to enable both those by default, and we'll add config upgrade code to turn those on for anyone who doesn't have them enabled upon upgrade to 2.2.1.
Okay I've enabled both of those. They will work okay with OpenDNS? - Thanks :)
-
-
They will work okay with OpenDNS? - Thanks :)
Goto…
I read that but I just wanted to confirm because I wasn't sure if you mistyped what you said due to the way it was worded.
-
-
Just to be clear, with harden glue I see no issue, but I'm not sure that opendns supports DNSSEC, so if forwarding from opendns with DNSSEC enabled, might get "nothing".
I'm not running opendns here, but seems like it didn't support DNSSEC in the past. Not sure about now.
(For me at least, trying to use DNSSEC with non-DNSSEC capable servers results in DNS failure to resolve)
-
Obviously, as already stated multiple times here, hardening features that make use of DNSSEC will do absolutely nothing useful when you are forwarding DNS queries to OpenDNS or any other open DNS server that does not support DNSSEC at all. If you want DNSSEC, stop using OpenDNS.
-
Final followup here for me (I hope): Unbound 1.5.2rc1 has just been released, http://www.unbound.net/pipermail/unbound-users/2015-February/003774.html
Interesting part of the release notes in our case:
This release fixes a DNSSEC validation issue when an upstream server
with different trust anchors introduces unsigned records in messages.
Harden-glue when turned off allows potentially poisonous records in
the cache in the hopes of that enabling DNS resolution for 'impossible
to resolve' domains, it is fixed to have 'less cache poisoning',
quotes added because it is by definition not secure to turn off
harden-glue. New features are that "inform" can be used to see which
IPs lookup a domain, and unbound-control can use named unix pipes.According to Chris in Redmine, this should be fixed in 2.2.1.