[Resolved] Unbound DNSSEC
-
Hello,
I have check "Enable DNSSEC Support" in the DNS resolver Unbound, but when I go on sites that are signed with DNSSEC, my computer tells me that the domain has not been verified with DNSSEC.
To check if a domain name is signed, I use Chrome extension "DNSSEC Validator" : https://www.dnssec-validator.cz/pages/download.html
Why the plugin fails to check if the domain name is signed?
I tried for example with the domain name "dns.be" which is signed :
; <<>> DiG 9.10.1-P1 <<>> dns.be DNSKEY ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45665 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dns.be. IN DNSKEY ;; ANSWER SECTION: dns.be. 86389 IN DNSKEY 256 3 8 AwEAAbn7pkm6ExNWDUg33d0k Icb9NxYww4M/NQD/aPCuq6eKIu1TVM2a 2e7iXdOpIpSgfu8BXFWhuTF8bTewN5UFT9183QOKXwDRepr lr8nTz7WS R5UXIFNavJMxW6XtdZslu4jZYExlSidugSNGw0X0ok6YUVGi+3mCXyI2 6dONpaDP dns.be. 86389 IN DNSKEY 257 3 8 AwEAAcUMaeEPrigxGE1niu6Z 3jZFL4DmPWYHAXpmOP1tTQhx7y+6gyhx e3Od3qQgnWwSZeEkMdLkaPtnu93Etvom1Sjum859LjSg/z+ AomNT//xM yTe23RPINOV7dWuq35Z5v3LeTZ1q4cgtexpNk++iHW6weATPmex/J7KN bhbmhWrOrv7Z6 HG5CdQOLlF+ezUIr+dBHzdwj7ZD/gOTV/SI0etjf8MO 6tLH/FHT919SMdZ8pfgOD3rMnrVRKT8/N7kd 9p6j9FSxDMdcvxjx9U9c zuYiM4tiJYvnFwgsy+RlTD4S6qVj3i6xKztzyhkEE1oPbglWjMDF3m4E l8 UsvIWW1Jk= dns.be. 86389 IN DNSKEY 256 3 8 AwEAAck5/3JsVfASFMrt5+yz VqjTD42p0sfQb53pT855oUXt/FhGTpWV PBKOvYuhA3VFY6l4RazaV1ZsP7kiok8NuY0ESzd+QCr6aIg Jn5y2Csel uf/e3YgA1cWoJaJgqZC6lZ79dFaAh7YoGgu1SCd1B/A6XLpLzMI11EPi 5L7vAoFb dns.be. 86389 IN DNSKEY 256 3 8 AwEAAaHNeQxGDznN7XXfd+Uq QR+05rel0NZxxFNmF2+PnlF4kcRwMONI NS3I4hNueih0WRnG/h6bEwJ2GlHzA4no5yYnpx4AUcOJqom SbJcPG/q2 yDdZ2Lu42kNIkkVQt3YKIGcdrauwGuQn27/kroux31dKHn+v3aHh8kiU dkyCTVwz ;; Query time: 0 msec ;; SERVER: 10.30.100.1#53(10.30.100.1) ;; WHEN: Sun Mar 01 15:14:38 Paris, Madrid 2015 ;; MSG SIZE rcvd: 755Thanks for your help :)
-
and when you go here what do you get?
http://dnssectest.sidn.nl/test.php
Ok not really a chrome user, so installed checker for firefox https://addons.mozilla.org/en-US/firefox/addon/dnssec-validator/
Went to your dns.be, got a redirection but shows dnssec ok - see 2nd pic. You sure your browser is using pfsense as dns, no proxy? Chrome likes to use a proxy if I recall, atleast on ios and android devices https://developer.chrome.com/multidevice/data-compression
Not sure about your addon for chrome, but have to assume it has has to use something to validate the dnssec - so where is it pointing. So for example the firefox addon has ability to use the systems dns, custom or some other method related to the addon, not sure exactly what that does, etc. see 3rd pic
-
and when you go here what do you get? http://dnssectest.sidn.nl/test.php
He told me "I am protected"
Ok not really a chrome user, so installed checker for firefox https://addons.mozilla.org/en-US/firefox/addon/dnssec-validator/
In Firefox it also tells me "I am protected" (But it also tells me this when "DNSSEC Support" in Unbound is desactived)
You sure your browser is using pfsense as dns, no proxy?
Chrome use my pfSense resolver
Is this just a problem of the Chrome extension?
thanks
-
I am not exactly sure how those addons work?? I can tell you if I turn it off in unbound then that test page fails.. But yes still using system settings that addon for firefox still says protected.. Which is clearly not true from normal system settings, etc.
I would trust the test more than those addons to be honest.
So to get a valid test make sure you flush your local dns cache and your browser dns cache, etc.. If I turn it off in unbound resolver it fails, if turn it on it unbound resolver it passes.
-
Ok, if I desactive "DNSSEC support", test failed.
In order to make the plugin work in Chrome, we have to install a bin: https://www.dnssec-validator.cz/pages/download.html#package
thanks :-)