Project

General

Profile

Actions
Copy link

Bug #16345

open

Bind9 TLS auth failure

Added by Phil Wardt 13 days ago. Updated 13 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
BIND
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.8.x
Affected Plus Version:
Affected Architecture:

Description

When using bind920 installed from GUI package manager, if we configure the forwarder to use upstream name servers with DNS over TLS, it fails with:

dnssec: warning: managed-keys-zone: Unable to fetch DNSKEY set '.': failure

The forwarder fails to provide DNS service to the VLAN

The failing pfsense GUI setup is
GUI config - Options:

    forwarders {
        1.1.1.1 port 853 tls "cloudflare-tls";
    };

GUI config - General:

tls cloudflare-tls {
    ca-file "/usr/local/etc/ssl/cert.pem";
    remote-hostname "cloudflare-dns.com";
    prefer-server-ciphers yes;
};

Now, in GUI, if we comment these lines:

tls cloudflare-tls {
    //ca-file "/usr/local/etc/ssl/cert.pem";
    //remote-hostname "cloudflare-dns.com";
    prefer-server-ciphers yes;
};

The TLS encryption works, but no auth is enforced as per docs

If we install the same package from pfsense shell main repo instead of the GUI package manager:

pkg install bind920
rndc-confgen -a
sysrc named_enable="YES" 
service named start

And we use its main conf file:

tls cloudflare-tls {
    ca-file "/usr/local/etc/ssl/cert.pem";
    remote-hostname "cloudflare-dns.com";
    prefer-server-ciphers yes;
};

options {
    directory    "/usr/local/etc/namedb/working";
    pid-file    "/var/run/named/pid";
    dump-file    "/var/dump/named_dump.db";
    statistics-file    "/var/stats/named.stats";

    listen-on port 6053 { 127.0.0.1;};

//    listen-on-v6    { ::1; };

    dnssec-validation auto;
    forwarders {
        1.1.1.1 port 853 tls "cloudflare-tls";
    };
};

logging {
    channel custom {
        //file "/var/named/var/log/named.log" size 10M;
        syslog daemon;
        print-time yes;
        print-severity yes;
        print-category yes;
        severity info;
        };
    category default { custom; };
};

Now, this config works with proper TLS auth and encryption. Logs no longer show the dnssec errors

I tested with 2.8.0 and 2.8.1 beta

Actions
Copy link
 #1

Updated by Phil Wardt 13 days ago

I also tested by editing the keys and changing permissions, but without success

So, basically, in current pfsense release, if we use a custom option to enable DNS over TLS, we cannot specify the needed options to enforce TLS authentication

    ca-file "/usr/local/etc/ssl/cert.pem";
    remote-hostname "cloudflare-dns.com";

If we set them, the DNS forwarding fails with mentioned log errors
If we comment them, the DNS forwarding works, TLS encryption is enabled (we can check it on cloudflare test page), but, TLS authentication will not be enforced as the doc mention
If we use the default repo installation, all works as expected. For this, we setup the main conf file, and not the pfsense one set in GUI:

/usr/local/etc/namedb/named.conf

Any hint for an easy quick fix to keep using default implementation instead of having to manually hack the firewall now ?
Also, ISC bind9 is by far more complete than unbound now that it supports DOT and even upstream DOH

Actions
Copy link

Also available in: Atom PDF