DNSSEC on pfSense
-
I updated today pfSense 2.0-BETA4 (i386) built on Mon Nov 22 02:54:15 EST 2010 and unbound to v 1.22. But no luck:
Nov 22 19:50:52 php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1290451852] unbound[33548:0] err```
or: bind: address already in use [1290451852] unbound[33548:0] fatal error: could not open ports'
Nov 22 19:50:52 unbound: [56312:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 22 19:50:52 unbound: [56312:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
Nov 22 19:50:52 unbound: [56312:0] info: service stopped (unbound 1.4.7).
Nov 22 19:50:52 check_reload_status: syncing firewall
Nov 22 19:50:16 unbound: [56312:0] info: start of service (unbound 1.4.7).
Nov 22 19:50:16 unbound: [56312:0] notice: init module 1: iterator
Nov 22 19:50:16 unbound: [56312:0] notice: init module 1: iterator
Nov 22 19:50:16 unbound: [56312:0] notice: init module 0: validator
Nov 22 19:50:16 unbound: [56312:0] notice: init module 0: validator
Nov 22 19:50:15 check_reload_status: reloading filter
Nov 22 19:50:14 unbound: [53850:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 22 19:50:14 unbound: [53850:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
Nov 22 19:50:14 unbound: [53850:0] info: service stopped (unbound 1.4.7).
Nov 22 19:50:13 check_reload_status: syncing firewall
Nov 22 19:49:58 unbound: [53850:0] info: start of service (unbound 1.4.7).
Nov 22 19:49:58 unbound: [53850:0] warning: root hints root.hints: no NS content
Nov 22 19:49:58 unbound: [53850:0] warning: root hints root.hints: no NS content
Nov 22 19:49:58 unbound: [53850:0] notice: init module 1: iterator
Nov 22 19:49:58 unbound: [53850:0] notice: init module 1: iterator
Nov 22 19:49:58 unbound: [53850:0] notice: init module 0: validator
Nov 22 19:49:58 unbound: [53850:0] notice: init module 0: validator
Nov 22 19:49:58 check_reload_status: syncing firewall
Nov 22 19:48:27 check_reload_status: reloading filter
Nov 22 19:48:26 php: : Reloading Squid for configuration sync
Nov 22 19:48:14 check_reload_status: syncing firewall
Nov 22 19:48:14 php: /pkg_mgr_install.php: Beginning package installation for Unbound.After starting unbound manually (via console didn't work: unbound-control start, stop or status resulted in nothing. No output nor the program exited. Had to kill it via ctrl-c. But starting via Webif worked:
Nov 22 20:00:04 unbound: [22972:0] info: start of service (unbound 1.4.7).
Nov 22 20:00:04 unbound: [22972:0] notice: init module 1: iterator
Nov 22 20:00:04 unbound: [22972:0] notice: init module 1: iterator
Nov 22 20:00:04 unbound: [22972:0] notice: init module 0: validator
Nov 22 20:00:04 unbound: [22972:0] notice: init module 0: validatorBut i still don't get Borat, only Picard on the dnssec-test-site. :(
-
Take your time m8…
heh :) thx. I figured out the dhcp DNS problem. Its a directly related to DNSmasq been disabled in the xml config. Will think about how we can adjust this and let you know the status over the course of the week.
-
Nov 22 19:50:52 php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1290451852] unbound[33548:0] err[code]or: bind: address already in use [1290451852] unbound[33548:0] fatal error: could not open ports' [/code] Looks like DNSMasq wasnt shutdown - will have to add some additional safety belts. [quote] But i still don't get Borat, only Picard on the dnssec-test-site. :( [/quote] What does dig @ <ip>edu +dnssec return? Have a look at the flags section in the returned output it should contain a 'ad' flag. Piccard could be cached.</ip>
-
Take your time m8…
heh :) thx. I figured out the dhcp DNS problem. Its a directly related to DNSmasq been disabled in the xml config. Will think about how we can adjust this and let you know the status over the course of the week.
Cool! Waiting for an update then. Until then I'll just use dnsmasq as before…
-
after reboot, syslog ui :
Nov 30 09:41:58 unbound: [669:0] info: service stopped (unbound 1.4.7).
Nov 30 09:41:58 unbound: [669:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
Nov 30 09:41:58 unbound: [669:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 30 09:41:58 unbound: [687:0] notice: init module 0: iterator
Nov 30 09:41:58 unbound: [687:0] notice: init module 0: iterator
Nov 30 09:41:58 unbound: [687:0] info: start of service (unbound 1.4.7).
Nov 30 09:42:00 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1291084920] unbound[704:0] error: bind: address already in use [1291084920] unbound[704:0] fatal error: could not open ports'manualy save on gui syslog, its look running :
Nov 30 09:46:58 unbound: [687:0] info: server stats for thread 0: 73 queries, 0 answers from cache, 73 recursions, 0 prefetch
Nov 30 09:46:58 unbound: [687:0] info: server stats for thread 0: requestlist max 7 avg 3.23288 exceeded 0
Nov 30 09:46:58 unbound: [687:0] info: average recursion processing time 1.453108 sec
Nov 30 09:46:58 unbound: [687:0] info: histogram of recursion processing times
Nov 30 09:46:58 unbound: [687:0] info: [25%]=0.182044 median[50%]=0.261905 [75%]=0.289474
Nov 30 09:46:58 unbound: [687:0] info: lower(secs) upper(secs) recursions
Nov 30 09:46:58 unbound: [687:0] info: 0.032768 0.065536 1
Nov 30 09:46:58 unbound: [687:0] info: 0.065536 0.131072 3
Nov 30 09:46:58 unbound: [687:0] info: 0.131072 0.262144 8
Nov 30 09:46:58 unbound: [687:0] info: 0.262144 0.524288 9
Nov 30 09:46:58 unbound: [687:0] info: 0.524288 1.000000 10
Nov 30 09:46:58 unbound: [687:0] info: 1.000000 2.000000 21
Nov 30 09:46:58 unbound: [687:0] info: 2.000000 4.000000 19
Nov 30 09:46:58 unbound: [687:0] info: 4.000000 8.000000 2on console, still get error message
[2.0-BETA4][root@rserver.local]/root(4): unbound -v
[1291085668] unbound[2106:0] notice: Start of unbound 1.4.7.
[1291085668] unbound[2106:0] error: bind: address already in use
[1291085668] unbound[2106:0] fatal error: could not open portscoonection to net works, but resolve still slow then with dnsmasq
i think use dnsmasq till get update
thanks to provide unbound package -
Ok I am back from vacation. Will look into the various bugs and let you guys know when an update is committed.
-
hello wagonza! Hope your vacation was nice and groovy…
I have a little(?) proposal: Could you put the unbound-logs separate? Maybe in that section "package-logs"?
It is logging really lot and so the normal syslog is full of unbound-log-entries, which make it somewhat difficult to find special entries. Say, i have to open a console to view directly at the log. 1000 lines are not enough at the webgui... (Not a big clue, but would make that thing easier.) -
I hear you - will add this. Otherwise Im winning with all the other changes. Hopefully will commit some time tomorrow.
Off to lala land for tonight. -
Woot!
-
Guys I have committed some changes which include Unbound getting its own log file. This will require a recent snapshot (later than Thursday last week) as there were some bugs in package log handling. I have also added some extra 'statistics' options, so that it is up to the user to decide on what he/she wants to see and how often.
I can add debugging verbosity as well if you guys think that would help you?
There is one caveat currently DHCP entries end up in the hosts file and there is a daemon that handles updating /etc/hosts when ever there is a change to the dhcp leases file. This daemon will need to be updated to handle updating unbound. Currently only a re-save on Unbound will re-populate this data.
Lastly, if you make use of DHCP and you assign pfSense as your DNS server (i.e. DNS servers field is left blank) then you will need to specify the IP address of the respective DHCP interface so that existing behaviour is kept. The reason for this is that in the base of pfSense it will automatically assign the Systems: General DNS servers to the dhcp client if DNSMasq is disabled.
So just reinstall and please let me know what else is still not working.
-
There is one caveat currently DHCP entries end up in the hosts file and there is a daemon that handles updating /etc/hosts when ever there is a change to the dhcp leases file. This daemon will need to be updated to handle updating unbound. Currently only a re-save on Unbound will re-populate this data.
Hey,
great news. I will check it out, soon. What I do not get though is your post I quoted. What does that exactly have to mean? At what times do I have to press save on Unbound tab?
-
Unbound does not install:
Beginning package installation for Unbound... Downloading package configuration file... done. Saving updated package information... done. Downloading Unbound and its dependencies... Checking for package installation... unbound-1.4.7 could not download. of unbound-1.4.7 failed! Installation aborted.Removing package... Starting package deletion for unbound-1.4.7...done. Starting package deletion for expat-2.0.1_1...done. Starting package deletion for openssl-1.0.0_2...done. Removing Unbound components... Tabs items... done. Menu items... done. Services... done. Loading package instructions... Include file unbound.inc could not be found for inclusion. Deinstall commands... Not executing custom deinstall hook because an include is missing. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. Failed to install package. Installation halted.
-
Did the update today and encountered this:
kernel: pid 41731 (php), uid 0: exited on signal 11 (core dumped) Dec 6 15:06:59 php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '/usr/local/etc/unbound/unbound.conf:52: error: unknown keyword '2.8' /usr/local/etc/unbound/unbound.conf:52: error: unknown keyword 'intel' /usr/local/etc/unbound/unbound.conf:52: error: stray ''' /usr/local/etc/unbound/unbound.conf:52: error: stray '"' /usr/local/etc/unbound/unbound.conf:55: error: unknown keyword '2,1' /usr/local/etc/unbound/unbound.conf:55: error: unknown keyword 'PPC' /usr/local/etc/unbound/unbound.conf:55: error: stray ''' /usr/local/etc/unbound/unbound.conf:55: error: stray '"' read /usr/local/etc/unbound/unbound.conf failed: 8 errors in configuration file [1291644419] unbound[60301:0] fatal error: Could not read config file: /usr/local/etc/unbound/unbound.conf'
Obviously it doesn't work. :(
The unbound.conf is at the expected place, the errors about that offending keywords are excerped from the respective local Client-descriptions. Here are two the lines from the unbound.conf:
local-data: "tiffany.local IN A 10.112.35.2" local-data: "tiffany.local TXT 'iMac 24" 2.8 intel'"
Hope that helps. Oh, shouldn't the log be separate?
-
great news. I will check it out, soon. What I do not get though is your post I quoted. What does that exactly have to mean? At what times do I have to press save on Unbound tab?
Sorry let me rephrase. If you make use of "Register DHCP leases in DNS forwarder" what actually happens is that the dhcp leases file is read whenever it gets updated with a new host or a hosts IP changes. The daemon that monitors the dhcp leases file then updates /etc/hosts so that DNSMasq will resolve these DHCP hosts by their hostname. For now this daemon will still update /etc/hosts but Unbound will not be updated as it does not use/read /etc/hosts. So what you have to do, for the interim, is save the config on Unbound - this proces will read /etc/hosts and create the relevant entries to match. If your DHCP leases data (ip to host mapping) changes often then this will become a little irritating.
I am investigating libunbound to see if I can get the same behaviour as pfSense currently has.
PS. You can look for the dhcpleases entries with the comment "# dynamic entry from dhcpd.leases" in your hosts file below the "# dhpleases automatically entered" comment.
-
Thanks for the explanation. I am using the register clients function. But I guess I won't be adding no names right now. My LAN at home won't grow ;-)
But I still can't install the package :(
-
Unbound does not install:
yeah bad timing - the package server died, not sure of the status currently. I know jim-p is working on it.
-
Did the update today and encountered this:
kernel: pid 41731 (php), uid 0: exited on signal 11 (core dumped) Dec 6 15:06:59 php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '/usr/local/etc/unbound/unbound.conf:52: error: unknown keyword '2.8' /usr/local/etc/unbound/unbound.conf:52: error: unknown keyword 'intel' /usr/local/etc/unbound/unbound.conf:52: error: stray ''' /usr/local/etc/unbound/unbound.conf:52: error: stray '"' /usr/local/etc/unbound/unbound.conf:55: error: unknown keyword '2,1' /usr/local/etc/unbound/unbound.conf:55: error: unknown keyword 'PPC' /usr/local/etc/unbound/unbound.conf:55: error: stray ''' /usr/local/etc/unbound/unbound.conf:55: error: stray '"' read /usr/local/etc/unbound/unbound.conf failed: 8 errors in configuration file [1291644419] unbound[60301:0] fatal error: Could not read config file: /usr/local/etc/unbound/unbound.conf'
Obviously it doesn't work. :(
The unbound.conf is at the expected place, the errors about that offending keywords are excerped from the respective local Client-descriptions. Here are two the lines from the unbound.conf:
local-data: "tiffany.local IN A 10.112.35.2" local-data: "tiffany.local TXT 'iMac 24" 2.8 intel'"
Hope that helps. Oh, shouldn't the log be separate?
Ooo not cool - will fix that.
You should have a /var/log/unbound.log (but you need to be running one of the latest snapshot)? Also in /etc/syslog.conf, you should see unbound config entry.
-
Ok @_igor_ your stuff should be working now - just reinstall the package.
@jlepthien - i have just installed unbound and its correctly downloaded everything.
-
Still having problems here. I am on NanoBSD…
Beginning package installation for Unbound... Downloading package configuration file... done. Saving updated package information... done. Downloading Unbound and its dependencies... Checking for package installation... unbound-1.4.7 (extracting) expat-2.0.1_1 (extracting) openssl-1.0.0_3 (extracting) libevent-1.3e could not download. of unbound-1.4.7 failed! Installation aborted.Removing package... Starting package deletion for unbound-1.4.7...done. Starting package deletion for expat-2.0.1_1...done. Starting package deletion for openssl-1.0.0_2...done. Removing Unbound components... Tabs items... done. Menu items... done. Services... done. Loading package instructions... Include file unbound.inc could not be found for inclusion. Deinstall commands... Not executing custom deinstall hook because an include is missing. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. Failed to install package. Installation halted.
-
Ok i was testing on a full install but that shouldn't make a difference as the packages are collected from the same place.
All I can say is try again today.