DNS Resolver / DNSSEC in permissive mode.
-
There is no such configuration option for Unbound on pfSense. If you configured that manually, well, then you got what you configured and I'm really missing the point of this thread?!?
That's the point of this thread. I didn't configure it manually, so how did it happen…
I'm using the default resolver settings with DNSSEC turned on.
Could be a bug?
-
Once again, there is absolutely NOTHING described about "permissive mode" anywhere on the test page you used. Repeated this for about 4 times already, gets annoying. I've provided multitude of other ways to check your DNSSEC, kindly use them. Or use dig or whatever similar to test your DNSSEC manually - https://wiki.debian.org/DNSSEC#Command_line
-
See attached…
The words "PERMISSIVE MODE" look pretty clear to me.
-
Hell. They have this fscking FAQ there. It says nothing about permissive. I am unable to get any such result there. I can get either pass or fail. Nothing "permissive". Now, either use the other ways to validate, or just have fun discussing this for a couple more days… Enough time wasted. I don't care about that site. Clear enough already?
The unbound configuratios is at /var/unbound/unbound.conf, you can check for your "permissive". Never been an option to be ticked in the GUI on 2.2.x
-
Hell. They have this fscking FAQ there. It says nothing about permissive. I am unable to get any such result there. I can get either pass or fail. Nothing "permissive". Now, either use the other ways to validate, or just have fun discussing this for a couple more days… Enough time wasted. I don't care about that site. Clear enough already?
The unbound configuratios is at /var/unbound/unbound.conf, you can check for your "permissive". Never been an option to be ticked in the GUI on 2.2.x
Thanks … will check the unbound.conf file.
As for the rest of your message... get a life buddy.
-
From unbound.net:
1. Permissive mode
Does not actually turn off dnssec, but stops the resolver from withholding bogus answers from clients. Resolution may be slow due to validation failures but can still proceed. Add to the unbound.conf file:
server: val-permissive-mode: yes
So, permissive mode allows the server to return a response even if DNSSEC fails, but the response could be bogus which defeats the entire point of DNSSEC.
-
Yep. Already linked above. Never been a GUI option on pfSense. Of course, when you tick DNSSEC in Unbound and instead of using it properly as a recursive resolver your forward the DNS to crap like OpenDNS (which does not support DNSSEC at all), then all you get is broken DNSSEC.
-
Yep. Already linked above.
I was just making it clearer for those who would rather not go link-following down rabbit holes. Why link externally when a single sentence says everything you need to know?
-
test 1) Using pfSense unbound with dnssec checked, site will report green check you are protected
test 2) Using pfSense unbound with dnssec unchecked, site will report red cross you are not protected
test 3) Using pfSense unbound with dnssec checked, site will report red cross you are not protected. Permissive mode detected:
Your DNSSEC is configured in "permissive mode" (or you use a combination of validating- and non-validating resolvers) and as such you are not protected.At this point I tried restarting unbound. flushdns, another browser all yielded Permissive mode detected: After a few hours site will report green check you are protected. sheesh
http://dnssectest.sidnlabs.nl/test.php
-
I would suggest testing elsewhere. I already did about 5 times, but apparently everyone insists on using the broken one.
-
btw. I get two thumbs up from Borat.
