Bind package for pfsense 2.1
-
I have an Internet connection via the satellite. Therefore I feel need in increase in ttl.
Marcelloc, can you add the option "min-cache-ttl" in your package? Description in russian here http://alex-at.ru/linux/bind-9-6-0-p1-ttl. And patch is:diff -Nabdur bind-9.6.0-P1.orig/bin/named/config.c bind-9.6.0-P1/bin/named/config.c --- bind-9.6.0-P1.orig/bin/named/config.c 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/bin/named/config.c 2009-05-22 12:31:35.000000000 +0400 @@ -129,6 +129,8 @@ min-roots 2;\n\ lame-ttl 600;\n\ max-ncache-ttl 10800; /* 3 hours */\n\ + override-cache-ttl 0; /* do not override */\n\ + min-cache-ttl 0; /* no minimal, zero is allowed */\n\ max-cache-ttl 604800; /* 1 week */\n\ transfer-format many-answers;\n\ max-cache-size 0;\n\ diff -Nabdur bind-9.6.0-P1.orig/bin/named/server.c bind-9.6.0-P1/bin/named/server.c --- bind-9.6.0-P1.orig/bin/named/server.c 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/bin/named/server.c 2009-05-22 12:32:18.000000000 +0400 @@ -1727,6 +1727,16 @@ CHECK(mustbesecure(obj, view->resolver)); obj = NULL; + result = ns_config_get(maps, "override-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->overridecachettl = cfg_obj_asuint32(obj); + + obj = NULL; + result = ns_config_get(maps, "min-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->mincachettl = cfg_obj_asuint32(obj); + + obj = NULL; result = ns_config_get(maps, "max-cache-ttl", &obj); INSIST(result == ISC_R_SUCCESS); view->maxcachettl = cfg_obj_asuint32(obj); diff -Nabdur bind-9.6.0-P1.orig/lib/dns/include/dns/view.h bind-9.6.0-P1/lib/dns/include/dns/view.h --- bind-9.6.0-P1.orig/lib/dns/include/dns/view.h 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/lib/dns/include/dns/view.h 2009-05-22 12:29:03.000000000 +0400 @@ -131,6 +131,8 @@ isc_boolean_t provideixfr; isc_boolean_t requestnsid; dns_ttl_t maxcachettl; + dns_ttl_t mincachettl; + dns_ttl_t overridecachettl; dns_ttl_t maxncachettl; in_port_t dstport; dns_aclenv_t aclenv; diff -Nabdur bind-9.6.0-P1.orig/lib/dns/resolver.c bind-9.6.0-P1/lib/dns/resolver.c --- bind-9.6.0-P1.orig/lib/dns/resolver.c 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/lib/dns/resolver.c 2009-05-22 12:30:41.000000000 +0400 @@ -4054,6 +4054,18 @@ } /* + * Enforce the configure cache TTL override. + */ + if (res->view->overridecachettl) + rdataset->ttl = res->view->overridecachettl; + + /* + * Enforce the configure minimum cache TTL. + */ + if (rdataset->ttl < res->view->mincachettl) + rdataset->ttl = res->view->mincachettl; + + /* * Enforce the configure maximum cache TTL. */ if (rdataset->ttl > res->view->maxcachettl) diff -Nabdur bind-9.6.0-P1.orig/lib/isccfg/namedconf.c bind-9.6.0-P1/lib/isccfg/namedconf.c --- bind-9.6.0-P1.orig/lib/isccfg/namedconf.c 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/lib/isccfg/namedconf.c 2009-05-22 12:31:21.000000000 +0400 @@ -821,6 +821,8 @@ { "lame-ttl", &cfg_type_uint32, 0 }, { "max-acache-size", &cfg_type_sizenodefault, 0 }, { "max-cache-size", &cfg_type_sizenodefault, 0 }, + { "override-cache-ttl", &cfg_type_uint32, 0 }, + { "min-cache-ttl", &cfg_type_uint32, 0 }, { "max-cache-ttl", &cfg_type_uint32, 0 }, { "max-clients-per-query", &cfg_type_uint32, 0 }, { "max-ncache-ttl", &cfg_type_uint32, 0 }, -
Marcelloc, can you add the option "min-cache-ttl" in your package?
I can't compile binaries to official repo. :(
It will need a freebsd ports patch on bind before we can include it on pfsense compile options.
-
So how do enabled dnssec validation so that say if go to site like this - shows protected? http://dnssectest.sidn.nl
I have no idea. What tests are these?
-
But if I query pfsense no AD flag?
Maybe it's related to this?
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/242956 -
It is a test that dns your using is validating dnssec info.
As you saw my ubuntu box running default bind install as recursive server reflects that dnssec was validated with the AD flag when used +dnssec.
google dns for example as enabled dnssec validation even if client does not request.. So you can see below that simple query to googledns without +dnssec still returns the AD flag for a domain that passes validation.. While a domain that does not have it does not
; <<>> DiG 9.9.2-P1 <<>> @8.8.8.8 pir.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38390
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1; <<>> DiG 9.9.2-P1 <<>> @8.8.8.8 pfsense.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63693
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1If I set my client to use google dns the above test site states that my dns is validating
What I would like is bind to do dnssec validation even when not specifically requested via +dnssec - but I can not seem to get it to the validation even with +dnssec flag..
Ok got it to work with below options, seems setting to yes for validation requires to add keys, while auto loads the keys included with bind.
dnssec-enable yes;
dnssec-validation auto;now what is odd is that test site is saying permissive.. but I doubt that is the case to be honest.. since if I try query a zone that broken dnssec get servfail like it should
; <<>> DiG 9.9.2-P1 <<>> www.rhybar.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52165
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1If I query the site via a resolver that does not do validation I get an answer
; <<>> DiG 9.9.2-P1 <<>> @4.2.2.2 www.rhybar.cz
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;www.rhybar.cz. IN A
;; ANSWER SECTION:
www.rhybar.cz. 600 IN A 217.31.205.51So it seems to be working correctly - but what is odd is that that test shows google is not permissive? But bind on pfsense is? Odd maybe I will email them about that aspect of their test.
-
Anybody else testing it? I'm planning to change status to release as it's running fine here.
When you added $ORIGIN, reverse lookup broke, a simple if statement will fix it:
if($zonereverso == "on") $zone_conf .= "\$ORIGIN {$zonename}.in-addr.arpa.\n"; else $zone_conf .= "\$ORIGIN {$zonename}.\n";-Q
-
When you added $ORIGIN, reverse lookup broke, a simple if statement will fix it:
-
Does this package integrate well with the pfsense DHCP?
Are you getting any error on logs?
Can you increase log debugging to see what is wrong.
Are your internal dnssec zone working?
-
marcelloc
Thanks for creating this BIND packge for pfSense. And thanks for fixing it yesterday! I am new to pfSense and was trying to set up my domain with your package and banging my head trying to figure out why the reverse domain kept failing to load. I turned on extra debugging to see what the error was, then manually edited the zone file to add the rest of the proper SOA suffix (in-addr.arpa.) and it worked. Then I noticed this post and checked out the version history on the package and re-installed it. Edited/saved my reverse zone and now I see the GUI puts in the proper SOA syntax.
Thanks again! ;D
-
Are you getting any error on logs?
Here's an example of the server storage1 trying to update it's DNS record. The entry storage1 doesn't exist in bind yet as I want it to be automatically created when a DHCP lease is given. If the entry already exists, it would be simply updated.
named[95868]: client 192.168.1.6#57928: view internal: updating zone 'internal.myzone.lan/IN': update unsuccessful: storage1.internal.myzone.lan/TXT: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
From reading bind documentation, the DHCP server would need a shared key with Bind in order to allow the creation of a new entry (not just updating an entry). In the current pfsense GUI, there's no option to add custom commands or parameters.
Are your internal dnssec zone working?
I was using dnssec but to keep things simple I disabled it. It's not being used anymore
-
In the current pfsense GUI, there's no option to add custom commands or parameters.
It has custom options fields on almost all gui tabs.
What additional configuration do you need?
-
I may be going in the wrong direction, I've been following the steps outlined from here http://www.semicomplete.com/articles/dynamic-dns-with-dhcp/#id2255991/ and therefore I would have liked to use a common key between dhcpd and bind in order to authorize the creation of new entries in bind.
-
This is nice and I might just switch to this from unbound!
But….
If I select listen on all interfaces, you generate:
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
statistics-file "/var/log/named.stats";
max-cache-size 256M;
listen-on-v6 { Any; };
listen-on { Any; };
version "N/A";};
That's good. However I don't want it to listen on the WAN interface, so if I select individual interfaces other than the WAN interfaces, you generate:
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
statistics-file "/var/log/named.stats";
max-cache-size 256M;
listen-on-v6 { none; }; <------------- This is bad!!!
listen-on { 192.168.4.1; 192.168.0.1; 24.98.144.135; 127.0.0.1; };
version "N/A";};
What? No IPV6 support???
-
Oh! And another thing. If I disable bind, then reboot… it is restarted anyway!
-
What? No IPV6 support???
Do you have ipv6 address assigned to any interface?
bind found these (192.168.4.1; 192.168.0.1; 24.98.144.135; 127.0.0.1; )
-
Oh! And another thing. If I disable bind, then reboot… it is restarted anyway!
Disable on gui or just stop the service?
-
Of course. All interfaces have IPV6 addresses, but it seems the config generating script didn't find them. And yes to answer your other question, disabled (or rather, not enabled) in the GUI. Great package though. I've switched to it and rely on the firewall to block IPV6 DNS queries from the WAN interface.
I think it may be a timing thing (as in the time when the config file is generated) since it missed one of the IPV4 addresses and IPV6 address allocation is a little slower than IPV4 address allocation since IPV6 must receive IPV6 router advertisements before it can configure its IPV6 subnets.
-
I'll check service startup.
After a while can you check if ipv6 addresses are listed on bind conf?
-
Here's your bug (attached fix). You weren't checking for IPV6 correctly in listen-on processing logic in bind.inc.
-
