DNSSec in pfSense



  • Hi,

    Can pfSense validate DNSSec secured TLDs? I don't think =(

    As you can read on the german news site heise.de (http://www.heise.de/newsticker/meldung/Erster-Rootserver-liefert-ab-1-Dezember-DNSSEC-signierte-Zone-814252.html) the root zones will be signed by the 1st of december and the public zone signing key will be available next year, so DNSSec is moving forward and is really important for the future of the DNS system.
    So it would be really important that pfSense can validate DNS queries with the mechanisms of DNSSec…

    Best Regards,
    Tobias



  • DNSSEC validating is not intended to be used by the client. Normally pfSense is nothing other than a client to the provider DNS and therefore "trusted". Or what is Your Idea how a firewall has to do interact with DNSSEC?



  • You're right, pfSense is the client to the ISP, but the PCs or server behind pfSense are the clients to the firewall. The firewall is there to protect the clients, so I think the firewall is the right place to do DNSSEC validation.

    It should be an option which the user can enable or disable, as not everyone wants the validation on the firewall resolver. If you trust your provider (and your provider validates DNSSEC), then you don't need it. Otherwise, the DNSSEC validation should be made by the firewall…



  • Nope,

    the used dnsmasq is a relative simple forwarder.
    If you wan to support DNSSEC, you have to install a "real" nameserver. And for DNSSEC do not underestimate memory and crypto performance. I would prefer a real DNS-Server inside my boundaries…


Log in to reply