DNSSEC Not Working
-
I have two pfsense systems, one running the latest release version, 2.4.4-p3, the other running the latest development version, 2.5.0-development. Unbound and DNSSEC are enabled on both, but DNSSEC is only working on the development version, according to performance.cira.ca and dnssec.vs.unie-due.de. Any suggestions where I should look for what's causing this?
-
Usually DNSSEC failures come down to a handful of issues:
- Clock/time -- the failing device may not have accurate time or its clock may not be ticking properly. This is more common on low-end/shady hardware, and occasionally is solved by a BIOS update or by changing the timecounter used by the OS.
- Upstream connectivity is not working properly in some way (e.g. path to roots is blocked, path to authoritative name servers is blocked, or something along the path drops edns / large DNS packets).
-
@jimp Thank you for your reply. Both pfsense systems are running on the same xeon hyper-v server. They have the same connectivity (each has a /56 prefix). The 2.4.4-p3 system is used for my main LAN. The 2.5.0-development system has a virtual lan with a virtual client. I don't think there are any clock issues or upstream connectivity issues.
Both of the sites that are saying DNSSEC isn't working don't provide any elaboration. Are you aware of any other sites that might provide further descriptive information on what is happening? I didn't see any messages in the log, but perhaps I'm not looking in the right place.
-
@bimmerdriver said in DNSSEC Not Working:
I don't think there are any clock issues or upstream connectivity issues.
Do not assume. Check.
