Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNSSec in pfSense

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tobru
      last edited by

      Hi,

      Can pfSense validate DNSSec secured TLDs? I don't think =(

      As you can read on the german news site heise.de (http://www.heise.de/newsticker/meldung/Erster-Rootserver-liefert-ab-1-Dezember-DNSSEC-signierte-Zone-814252.html) the root zones will be signed by the 1st of december and the public zone signing key will be available next year, so DNSSec is moving forward and is really important for the future of the DNS system.
      So it would be really important that pfSense can validate DNS queries with the mechanisms of DNSSec…

      Best Regards,
      Tobias

      1 Reply Last reply Reply Quote 0
      • sigiS
        sigi
        last edited by

        DNSSEC validating is not intended to be used by the client. Normally pfSense is nothing other than a client to the provider DNS and therefore "trusted". Or what is Your Idea how a firewall has to do interact with DNSSEC?

        1 Reply Last reply Reply Quote 0
        • T
          tobru
          last edited by

          You're right, pfSense is the client to the ISP, but the PCs or server behind pfSense are the clients to the firewall. The firewall is there to protect the clients, so I think the firewall is the right place to do DNSSEC validation.

          It should be an option which the user can enable or disable, as not everyone wants the validation on the firewall resolver. If you trust your provider (and your provider validates DNSSEC), then you don't need it. Otherwise, the DNSSEC validation should be made by the firewall…

          1 Reply Last reply Reply Quote 0
          • sigiS
            sigi
            last edited by

            Nope,

            the used dnsmasq is a relative simple forwarder.
            If you wan to support DNSSEC, you have to install a "real" nameserver. And for DNSSEC do not underestimate memory and crypto performance. I would prefer a real DNS-Server inside my boundaries…

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.