Harden DNSSEC Data input error
-
Maybe something to consider to be build in pfSense?
When you try to enable "Harden DNSSEC Data"in the Advanced Settings of the DNS Resolver it checks whether DNSSEC Support is enabled, if not error message appears when you try to save this setting.
But there is no reverse compatible check. Let me explain:
When you have DNS support enabled and also enabled "Harden DNSSEC Data" in Advanced Settings and for some reason later on decide to disable DNS support there is no error report, so you could leave something checked that cannot work.
-
@Qinn huh? If you disable dnssec - then harden being check not going to do anything anyway. But if you want to use harden setting, then yeah dnssec has to be enabled to enable that.
What is harden dnssec going to do if dnssec isn't enabled - that is all that is telling you.
Its dnssec part of resolving - not dns.. if you disabled the resolver completely - again none of its settings matter.
Like trying to turn on a light in the house that doesn't have the main breaker turned on.. If you turn on the kitchen light when you do have the main breaker on.. But then later turn off the main breaker - doesn't matter if the kitchen light switch is on.
Lets call the resolver being enabled the main breaker, while dnssec is the kitchen breaker - kind of hard to turn on the kitchen light switch for the light above the sink, if the kitchen breaker is off.
But if you turn off either the kitchen breaker or the main breaker - doesn't matter if the light switch is on for the light above the sink.
-
Yep, These two DNSSEC options, one on the main page, and the other on the advanced page, make things confusing.
But, if DNNSEC is disabled on the first page, the setting on the second page is a 'don't care', so unbound will be happy. True, if the admin unchecked DNNSEC the first page, but forgot about it on the second page (leaving it checked) later ion, he will get a reminder. Free !I guess, validating settings on one page should not auto 'touch' (or modify) settings on another page, for 'some "don't open the can of worms" reason'.
Btw : DNSSEC is a free extra security. Who would refuse that ? Netgate, as they are network (DNS) experts (I guess - who are we to disagree), have it enabled by default
edit ... stupid me, I forgot again that flat earthers, DNS forwarders etc really exist.
-
Thanx guys, for your reply
@johnpoz I can follow the logic, as you explained it, using the main breaker example.