DNS Resolver / DNSSEC in permissive mode.
-
When I run the test at
http://dnssectest.sidnlabs.nl/test.php
It says my DNSSEC configuration is set to permissive mode. How can I turn permissive mode off in the pfsense GUI?
Thanks
-
You need to ask the guys what they mean by "permissive mode". All they describe in their FAQ is green tick and red cross. DNSSEC is either off or on in the DNS resolver. There is no "permissive mode". The only toggle is "Harden DNSSEC data" in advanced settings.
-
I get a green check and "You are protected". Nothing special with my Unbound config, just what others in these forums have said about glue, etc.
-
That's the weird thing. I used to get the check, now all of a sudden I don't. No change in config.
-
Odd - when I use google chrome I get the checkmark, but when I use internet explorer I get permissive mode.
-
The thing is noone here has any clue what's "permissive mode". Kindly test with something else.
Others:
- http://www.dnssec-or-not.org/
- http://dnssec.vs.uni-due.de/
-
Sorry… I should have been more descriptive. Permissive mode is an option in unbound. See here:
https://www.unbound.net/documentation/howto_turnoff_dnssec.html
-
There is no such configuration option for Unbound on pfSense. If you configured that manually, well, then you got what you configured and I'm really missing the point of this thread?!?
-
There is no such configuration option for Unbound on pfSense. If you configured that manually, well, then you got what you configured and I'm really missing the point of this thread?!?
That's the point of this thread. I didn't configure it manually, so how did it happen…
I'm using the default resolver settings with DNSSEC turned on.
Could be a bug?
-
Once again, there is absolutely NOTHING described about "permissive mode" anywhere on the test page you used. Repeated this for about 4 times already, gets annoying. I've provided multitude of other ways to check your DNSSEC, kindly use them. Or use dig or whatever similar to test your DNSSEC manually - https://wiki.debian.org/DNSSEC#Command_line
-
See attached…
The words "PERMISSIVE MODE" look pretty clear to me.
-
Hell. They have this fscking FAQ there. It says nothing about permissive. I am unable to get any such result there. I can get either pass or fail. Nothing "permissive". Now, either use the other ways to validate, or just have fun discussing this for a couple more days… Enough time wasted. I don't care about that site. Clear enough already?
The unbound configuratios is at /var/unbound/unbound.conf, you can check for your "permissive". Never been an option to be ticked in the GUI on 2.2.x
-
Hell. They have this fscking FAQ there. It says nothing about permissive. I am unable to get any such result there. I can get either pass or fail. Nothing "permissive". Now, either use the other ways to validate, or just have fun discussing this for a couple more days… Enough time wasted. I don't care about that site. Clear enough already?
The unbound configuratios is at /var/unbound/unbound.conf, you can check for your "permissive". Never been an option to be ticked in the GUI on 2.2.x
Thanks … will check the unbound.conf file.
As for the rest of your message... get a life buddy.
-
From unbound.net:
1. Permissive mode
Does not actually turn off dnssec, but stops the resolver from withholding bogus answers from clients. Resolution may be slow due to validation failures but can still proceed. Add to the unbound.conf file:
server: val-permissive-mode: yes
So, permissive mode allows the server to return a response even if DNSSEC fails, but the response could be bogus which defeats the entire point of DNSSEC.
-
Yep. Already linked above. Never been a GUI option on pfSense. Of course, when you tick DNSSEC in Unbound and instead of using it properly as a recursive resolver your forward the DNS to crap like OpenDNS (which does not support DNSSEC at all), then all you get is broken DNSSEC.
-
Yep. Already linked above.
I was just making it clearer for those who would rather not go link-following down rabbit holes. Why link externally when a single sentence says everything you need to know?
-
test 1) Using pfSense unbound with dnssec checked, site will report green check you are protected
test 2) Using pfSense unbound with dnssec unchecked, site will report red cross you are not protected
test 3) Using pfSense unbound with dnssec checked, site will report red cross you are not protected. Permissive mode detected:
Your DNSSEC is configured in "permissive mode" (or you use a combination of validating- and non-validating resolvers) and as such you are not protected.At this point I tried restarting unbound. flushdns, another browser all yielded Permissive mode detected: After a few hours site will report green check you are protected. sheesh
http://dnssectest.sidnlabs.nl/test.php
-
I would suggest testing elsewhere. I already did about 5 times, but apparently everyone insists on using the broken one.
-
btw. I get two thumbs up from Borat.