pfSense » pfSense Packages

Bind global settings page, "Forwarder Configuration" - DNSSEC Validation setting.

Bug: The DNSSEC Validation tick-box has no effect, as PFSEnse has root zone keys, so "auto" behaviour is used whether ticked or not.

Explanation: Referencing docs: https://downloads.isc.org/isc/bind9/9.14.12/doc/arm/Bv9ARM.ch04.html#dnssec_config

• If DNSSEC-Validation tickbox is enabled, adds: "dnssec-validation yes;" (wrong as config is missing "trusted-keys" or "managed-keys" statement. )
• If DNSSEC-Validation tickbox is disabled, removes "dnssec-validation" clause altogether. (result: uses trust anchor for the DNS root zone automatically. Same effect as "yes" without trusted-keys/managed-keys)

Suggested fix:

1. Change forwarder DNSSEC Validation tickbox to a drop-down selection of [yes|auto|no].
2. Default value of "yes" which will result in the same default behaviour as before the change.
3. Add a html URL outcall reference to the documentation link for explanation - as linked above.

I recognise the proposed default of "yes" appears to contradict the existing "unticked" - but according to docs (and testing) the actual default behaviour now is equivalent to "yes".

This proposed fix will still allow the operator to add trusted-keys/managed keys for a correctly configured "yes" setup, as well as enabling the "auto" and "no" behaviour without recourse to "advanced options".

[ or, simple fix, remove the tickbox altogether, as is all to easy to get this config setup wrong. ]

Temporary workaround - clear checkbox and add "dnssec-validation no;" in the advanced custom options section. Thank you for having this extra configuration feature!!!