Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Harden DNSSEC Data input error

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 3 Posters 201 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • QinnQ
      Qinn
      last edited by

      Maybe something to consider to be build in pfSense?

      When you try to enable "Harden DNSSEC Data"in the Advanced Settings of the DNS Resolver it checks whether DNSSEC Support is enabled, if not error message appears when you try to save this setting.
      pfSense-localdomain-Services-DNS-Resolver-Advanced-Settings.png

      But there is no reverse compatible check. Let me explain:

      When you have DNS support enabled and also enabled "Harden DNSSEC Data" in Advanced Settings and for some reason later on decide to disable DNS support there is no error report, so you could leave something checked that cannot work.

      Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
      Firmware: Latest-stable-pfSense CE (amd64)
      Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

      johnpozJ GertjanG 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Qinn
        last edited by johnpoz

        @Qinn huh? If you disable dnssec - then harden being check not going to do anything anyway. But if you want to use harden setting, then yeah dnssec has to be enabled to enable that.

        What is harden dnssec going to do if dnssec isn't enabled - that is all that is telling you.

        Its dnssec part of resolving - not dns.. if you disabled the resolver completely - again none of its settings matter.

        Like trying to turn on a light in the house that doesn't have the main breaker turned on.. If you turn on the kitchen light when you do have the main breaker on.. But then later turn off the main breaker - doesn't matter if the kitchen light switch is on.

        Lets call the resolver being enabled the main breaker, while dnssec is the kitchen breaker - kind of hard to turn on the kitchen light switch for the light above the sink, if the kitchen breaker is off.

        But if you turn off either the kitchen breaker or the main breaker - doesn't matter if the light switch is on for the light above the sink.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 1
        • GertjanG
          Gertjan @Qinn
          last edited by Gertjan

          @Qinn

          Yep, These two DNSSEC options, one on the main page, and the other on the advanced page, make things confusing.
          But, if DNNSEC is disabled on the first page, the setting on the second page is a 'don't care', so unbound will be happy. True, if the admin unchecked DNNSEC the first page, but forgot about it on the second page (leaving it checked) later ion, he will get a reminder. Free !

          I guess, validating settings on one page should not auto 'touch' (or modify) settings on another page, for 'some "don't open the can of worms" reason'.

          Btw : DNSSEC is a free extra security. Who would refuse that ? Netgate, as they are network (DNS) experts (I guess - who are we to disagree), have it enabled by default 😊

          edit ... stupid me, I forgot again that flat earthers, DNS forwarders etc really exist.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 1
          • QinnQ
            Qinn
            last edited by

            Thanx guys, for your reply

            @johnpoz I can follow the logic, as you explained it, using the main breaker example.

            Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
            Firmware: Latest-stable-pfSense CE (amd64)
            Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.