Undbound enabled DNSSEC plus IPSEC Peers with dynamic IPs
-
Unbound service on my pfSense acting as pure DNS resolver. No Upstream resolver is configure, unbound has to handle resolution from root dns down to each authoritative for domains that are queried. In addition I've configured a bunch of overrides for internal Forward- and PTR-Zones.
This all works flawless. Issues arise if I enable DNSSEC for unbound. It's not like DNSEC isn't working - after activate plus restart of unbound and "dig"ing through dnssec enabled domains, all is fine and validation is working as indented.
Issues arise if a IPsec peer with dynamic IP address (configured by hostname) reconnects with a different IPv4 Address. These peers are configured as VTI and utilized frr/bgp for route learning. To ensure bgpd learns all router during these events, all ipsec interface will flap (Ignore IPsec Restart unchecked) in FRR Global config.
For some reason this process invalids all DNS data (nxdomain) and tables which comes from domain overrides. All of the internal DNS Records are configured with a TTL of 60s and the SOA records are also configured with a TTL of 60 seconds.
Since many tables for firewall rules, are feeded from internal domain, it generates issues in daily operation. I can intervene in this issue and reduce the impact duration by runningsh -c "/usr/sbin/chroot -u unbound -g unbound / /usr/local/sbin/unbound-control -c /var/unbound/unbound.conf flush_zone ."
if I don't do so, it takes up to an hour (and even more) to restore normal operation. Without DNSSEC enabled all internal records stays valid, when IPSec peers with dynamic IP-Address reconnect.
I've restrict unbound to run only on interfaces, where it is actually needed (internal and loop-back, but no ipsec interface). Thos doesn't mitigate this issue, unfortunately.Edit:
Issue is reproducible on CE 2.5.1 and 2.6.0 in my configuration on different machines. -
No one is facing similar effects? Anyone an idea where this may come from?