Issues starting BIND (DNSSEC) after upgrading pfSense from version 2.7.2 to 2.8.0

mpossari

Hello,

After upgrading pfSense from version 2.7.2 to 2.8.0, the BIND (named) service on the main firewall stopped starting. I discovered, using the command:
/usr/local/bin/named-checkconf -t /var/etc/named /etc/namedb/named.conf
that auto-dnssec is no longer available in version 9.20 (/etc/namedb/named.conf:76: option 'auto-dnssec' no longer exists), which is the BIND version used in pfSense 2.8.

By replacing auto-dnssec with dnssec-policy default in the file /var/etc/named/etc/namedb/named.conf , BIND starts working normally again.

However, when modifying any BIND zone configuration via the graphical interface, auto-dnssec is reinserted, and BIND fails again.

Patch

@mpossari could that be a problem with boot strapping time? DNSSEC needs accurate time, so doesn’t function till the time service is running. But this maybe irrelevant to your experience.

Gertjan

@Patch said in Issues starting BIND (DNSSEC) after upgrading pfSense from version 2.7.2 to 2.8.0:

DNSSEC needs accurate time

Same thing for unbound.
DNSSEC can't work with the correct system time.
So, when looking at the pfSense services bootup process (see console ^^) you'll see that the NTP client start before DNS, unbound, or bind.
But if the ntp clients use hosts names (or pools) then there's an issue : no DNS avaible yet.
So, very exceptionally, ntp uses "8.8.8.8" if no local DNS is available.

@mpossari : thanks for the

that auto-dnssec is no longer available in version 9.20

I'm using version 9.16 (version old-stable for Debian 11.11), didn't know that "auto-dnssec" becomes depreciated.

@mpossari said in Issues starting BIND (DNSSEC) after upgrading pfSense from version 2.7.2 to 2.8.0:

By replacing auto-dnssec with dnssec-policy default in the file /var/etc/named/etc/namedb/named.conf , BIND starts working normally again.

Yep, the config file(s) get auto regenerated all the time.
Locate the place where the bind package files are, and search (grep ^^) in them for 'auto-dnssec'. Open that file, and edit it, replacing "auto-dnssec" with "dnssec-policy default".
Now your config file(s) will be generated correctly.

mpossari

NTP is enabled, and DNSSEC was working correctly with pfSense version 2.7.2. The issue was that the outdated "auto-dnssec maintain" directive was being reinserted by pfSense.

I’ve edited the /usr/local/pkg/bind.inc file, and after a reboot, the correct "dnssec-policy default" directive was successfully applied in /var/etc/named/etc/namedb/named.conf.

Thanks to everyone for the helpful responses!

Gertjan

@mpossari said in Issues starting BIND (DNSSEC) after upgrading pfSense from version 2.7.2 to 2.8.0:

The issue was that the outdated "auto-dnssec maintain" directive was being reinserted by pfSense.

pfSense itself doesn't know what 'bind' is. pfSense doesn't come with bind.
You probably installed the pfSense 'bind' package, and that one pulled in the latest original FreeBSD' bind, and the GUI part so it can work with pfSense.
The issue is : bind - the FreeBSD package itself was updated, but not the pfSense GUI package part that creates the bind config files.
The pfSense bind package maintainer should be informed.