Project

General

Profile

Bug #6570

Unbound breaks DNSSEC for pfSense's own hostname

Added by Mantas Mikul─Śnas over 3 years ago. Updated over 3 years ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
DNS Resolver
Target version:
-
Start date:
07/01/2016
Due date:
% Done:

0%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

During config update, pfSense writes its own FQDN in /etc/hosts, such as:

10.64.0.1             pf-a73.example.com pf-a73
2001:db8:e27f:a40::1  pf-a73.example.com pf-a73

Then, the Unbound ("DNS Resolver") configurator reads every line of /etc/hosts and creates 'local-data' configuration items inside /var/unbound/host_entries.conf, such as:

local-data-ptr: "10.64.0.1 pf-a73.example.com" 
local-data: "pf-a73.example.com A 10.64.0.1" 
local-data: "pf-a73 A 10.64.0.1" 
local-data-ptr: "2001:db8:e27f:a40::1 pf-a73.example.com" 
local-data: "pf-a73.example.com AAAA 2001:db8:e27f:a40::1" 
local-data: "pf-a73 AAAA 2001:db8:e27f:a40::1" 

This, unfortunately, breaks DNSSEC signatures on the real pf-a73.example.com in DNS (which has the WAN IP address, while pfSense/Unbound are putting the LAN addresses in the local-data overrides). Since the signatures no longer match the data, computers on the LAN are unable to resolve my pfSense's domain name.

To avoid breaking DNSSEC, the Unbound host_entries.conf generator should be changed to be smarter about which /etc/hosts lines to include. IMHO, it should ignore all "local host" entries (matching localhost or system hostname or system FQDN).

History

#1 Updated by Chris Buechler over 3 years ago

  • Status changed from New to Confirmed
  • Affected Version changed from 2.3 to All

It probably shouldn't write out anything to /etc/hosts or host_entries.conf for the host's own hostname if DHCP Registration and/or Static DHCP in Unbound isn't enabled. If those are, then subject would still be an issue if it's a domain hosted elsewhere with DNSSEC, but that's an unavoidable circumstance and those who are in that situation shouldn't be enabling Unbound's registration.

Also available in: Atom PDF