Feature #14001
closed
Always disable DNSSEC if forwarding enabled in Resolver
0%
Description
This is both a feature request and a regression. In just a few days I've experienced an issue and seen multiple forum posts where, after upgrading to 23.01, DNS has recurring failures, and disabling the "Enable DNSSEC" option fixes it. It was working without issue in 22.05 and earlier versions.
I suggest always disabling DNSSEC when forwarding is enabled in Resolver.
In my case I happened to notice some domains including linkedin.com were suddenly failing to resolve, a couple hours after upgrading. I did try re-enabling DNSSEC but was unable to immediately duplicate the problem, though I didn't wait any amount of time. With DNSSEC off I haven't had any more issues in several days.
A few of the recent forum threads:
https://forum.netgate.com/topic/178042/23-01-upgrade-unbound-issue
https://forum.netgate.com/topic/177217/pfblocker-blocking-all-dns/
https://forum.netgate.com/topic/178050/solved-intermittent-dns-problem-23-01/15
There are multiple recommendations to turn it off dating back years including:
https://forum.netgate.com/topic/120105/enable-dnssec-support-and-opendns/3
https://docs.netgate.com/pfsense/en/latest/troubleshooting/dns.html#check-dns-service
https://support.quad9.net/hc/en-us/articles/4433380601229-Setup-pfSense-and-DNS-over-TLS ("enabling DNSSEC at the forwarder level can cause false DNSSEC failures")
Updated by Jim Pingle about 1 year ago
- Status changed from New to Rejected
While that may be a good practice it isn't something we should force programmatically. Disabling security options unexpectedly because they might not work in your context isn't good for security overall.
Whether or not it works depends on the upstream resolver behavior and we have no way to know if it's viable or not since that is out of our control.