23.01 Upgrade unbound Issue
-
I upgraded my pfsense to 23.01 and after a few hours DNS resolving to public sites stops working. I have the below set and public dns is set to 9.9.9.9. This setup has worked for a long time on the previous version. The error I get is Unbound: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN. Restarting unbound fixes the problem temporarily, also unchecking "enable forwarding mode" which I want checked and enabled.
-
J jimp moved this topic from Problems Installing or Upgrading pfSense Software on
-
There's really no point having DNSSec enabled in forwarding mode. You're already trusting the upstream servers. Does disabling that change anything?
Steve
-
Thanks for the information, I found this article on quad 9's site and followed those instructions now everything works great.
https://support.quad9.net/hc/en-us/articles/4433380601229-Setup-pfSense-and-DNS-over-TLS
-
@techman2005 That Quad9 "guide" shows enabling both the Forwarder service as well as the Resolver with Forwarding enabled.
I always thought you should use one or the other. Is there a reason to use both?
-
It's possible to use both if you see one to use a different port. It would be unusual.
But, for example, if you are redirecting all DNS queries from IOT devices to pfSense you could use a different port for that. And then forward those requests differently.
-
@moelassus said in 23.01 Upgrade unbound Issue:
@techman2005 That Quad9 "guide" shows enabling both the Forwarder service as well as the Resolver with Forwarding enabled.
No it doesn’t:
“Navigate to Services -> DNS Forwarder on the top menu. Make sure Enable DNS forwarder is disabled. If it is enabled, disable it, and click Save ” ;) -
my config looks like this now and everything is working great. I verified everything is working correctly by looking at states.
-
@stephenw10 Disabling DNSSec got things back on track for v23 on my systems also. v22 worked fine with that checked.
-
@cylosoft said in 23.01 Upgrade unbound Issue:
@stephenw10 Disabling DNSSec got things back on track for v23 on my systems also. v22 worked fine with that checked.
That’s been my experience also. Earlier, I checked our outside router which the whole building goes through and it had DNSSEC enabled. That’s on 22.05 I believe (am not where I can double check now), upgraded over many, many versions.
Do you have particular domains that failed? For me it was LinkedIn.com forwarding to Quad9. I didn’t do a lot of testing but it was I think my first access, an hour or so after installing 23.01.
I suppose it’s possible the newer unbound version does something different. (Not to say it’s a bug, per se, but the perception is working->not working)
-
@steveits The reports I was getting were all Cloudflare hosted DNS. But I'm not sure that means anything since that's a huge chunk of the internet.
-
Mmm, it's odd because if it's enabled and fails then whatever you're forwarding to doesn't support it. So I would expect it to be an all or nothing situatiuon.
I wonder if it was previously disabled automatically in the old Unbound version.
-
@stephenw10 Quad9's setup article said "DNSSEC is already enforced by Quad9, and enabling DNSSEC at the forwarder level can cause false DNSSEC failures." I took that to mean the random failures I was seeing. But I don't know. Maybe the random failures will come back.
-
@cylosoft said in 23.01 Upgrade unbound Issue:
Maybe the random failures will come back.
Quiet, you!
-
-
@stephenw10 I thought I'd try to replicate it with linkedin.com just now and couldn't, at least by turning enabling DNSSEC and immediately (without waiting an hour or two) running nslookup. It was failing the other day because I was testing and resolved it.
Of course disabling DNSSEC also restarts unbound so now there's a question of what the problem actually is...does it show up after time? On certain queries? When the domain's NS has something misconfigured?
If it is a bug, then it occurs to me there's a question on the correct solution:
A) resolve the bug
B) automatically disable/hide DNSSEC when forwarding is enabledOption B sounds like it is "more correct"...and maybe something that should be done regardless of any bug/not bug.
-
@steveits said in 23.01 Upgrade unbound Issue:
does it show up after time?
Most likely this - if your asking for dnssec when where you forward to is already doing dnssec.. And you get something returned via cache - because your forwarding, etc. As quad9 step 3 says about turning it off "can cause false dnssec failures" if dnssec fails then what your looking for would fail, etc.
If your forwarding, clearly you trust where your forwarding too. They are already doing dnssec as a resolver, which is where it is meant to be done, etc. I see no point in setting your unbound to try and do dnssec as well.. Its going to be flawed when your not resolving. At best its causing extra queries, at worse stuff is going to fail to resolve. There is no reason to do it.
edit: btw I have been saying to turn off dnssec if your forwarding for YEARS... here is a post from 2016, where I state to turn it off if your forwarding ;)
https://forum.netgate.com/post/627755
Might be posts from before that, prob all the way back to when unbound was just a package in pfsense and not built in.. dnssec has no use in forwarding mode..
-
@johnpoz said in 23.01 Upgrade unbound Issue:
I see no point in setting your unbound to try and do dnssec as well
Oh I'm not debating whether it should be off. :) I'm suggesting that since it should be off, when forwarding is enabled, then pfSense should turn it off. IOW, avoid foot-shootery.
I've seen maybe 10ish people complaining about DNS problems after installing 23.01 and it seems like it's DNSSEC and forwarding.
-
@steveits we are on the same page, and I understood your suggesting it should be off if you enable forwarding.. Completely agree with you.. Maybe we crossed some wires or something.. We are in lock step here - if the user clicks forwarding mode, the checkbox for dnssec should be unchecked and grayed out to be honest.
But that would draw complaints most likely as well ;) Maybe pop up another check box that says, by clicking this I understand what I am doing and want to do forwarding with dnssec.. I will not post any questions or threads about dns issues if I have this checked ;)
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
S SteveITS referenced this topic on
-
@johnpoz @stephenw10 I made a Redmine feature request.
I can't easily generate a default config file right now (wife is on a conference call
) but is DNSSEC enabled by default? I am pretty sure it is not, but it still seems safer to turn it off when forwarding is enabled. -
The default configuration has Forwarding off and DNSSEC on. Someone enabling forwarding should probably disable DNSSEC manually but that isn't rejected by validation or changed automatically.
