Actions
Bug #16345
open
Bind9 TLS auth failure
Status:
New
Priority:
Normal
Assignee:
-
Category:
BIND
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Affected Version:
2.8.x
Affected Plus Version:
Affected Architecture:
Description
When using bind920 installed from GUI package manager, if we configure the forwarder to use upstream name servers with DNS over TLS, it fails with:
dnssec: warning: managed-keys-zone: Unable to fetch DNSKEY set '.': failure
The forwarder fails to provide DNS service to the VLAN
The failing pfsense GUI setup is
GUI config - Options:
forwarders {
1.1.1.1 port 853 tls "cloudflare-tls";
};
GUI config - General:
tls cloudflare-tls {
ca-file "/usr/local/etc/ssl/cert.pem";
remote-hostname "cloudflare-dns.com";
prefer-server-ciphers yes;
};
Now, in GUI, if we comment these lines:
tls cloudflare-tls {
//ca-file "/usr/local/etc/ssl/cert.pem";
//remote-hostname "cloudflare-dns.com";
prefer-server-ciphers yes;
};
The TLS encryption works, but no auth is enforced as per docs
If we install the same package from pfsense shell main repo instead of the GUI package manager:
pkg install bind920
rndc-confgen -a
sysrc named_enable="YES"
service named start
And we use its main conf file:
tls cloudflare-tls {
ca-file "/usr/local/etc/ssl/cert.pem";
remote-hostname "cloudflare-dns.com";
prefer-server-ciphers yes;
};
options {
directory "/usr/local/etc/namedb/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
listen-on port 6053 { 127.0.0.1;};
// listen-on-v6 { ::1; };
dnssec-validation auto;
forwarders {
1.1.1.1 port 853 tls "cloudflare-tls";
};
};
logging {
channel custom {
//file "/var/named/var/log/named.log" size 10M;
syslog daemon;
print-time yes;
print-severity yes;
print-category yes;
severity info;
};
category default { custom; };
};
Now, this config works with proper TLS auth and encryption. Logs no longer show the dnssec errors
I tested with 2.8.0 and 2.8.1 beta
Updated by
Actions