Unbound breaks DNSSEC for pfSense's own hostname
During config update, pfSense writes its own FQDN in /etc/hosts, such as:
10.64.0.1 pf-a73.example.com pf-a73 2001:db8:e27f:a40::1 pf-a73.example.com pf-a73
Then, the Unbound ("DNS Resolver") configurator reads every line of /etc/hosts and creates 'local-data' configuration items inside
/var/unbound/host_entries.conf, such as:
local-data-ptr: "10.64.0.1 pf-a73.example.com" local-data: "pf-a73.example.com A 10.64.0.1" local-data: "pf-a73 A 10.64.0.1" local-data-ptr: "2001:db8:e27f:a40::1 pf-a73.example.com" local-data: "pf-a73.example.com AAAA 2001:db8:e27f:a40::1" local-data: "pf-a73 AAAA 2001:db8:e27f:a40::1"
This, unfortunately, breaks DNSSEC signatures on the real pf-a73.example.com in DNS (which has the WAN IP address, while pfSense/Unbound are putting the LAN addresses in the local-data overrides). Since the signatures no longer match the data, computers on the LAN are unable to resolve my pfSense's domain name.
To avoid breaking DNSSEC, the Unbound
host_entries.conf generator should be changed to be smarter about which /etc/hosts lines to include. IMHO, it should ignore all "local host" entries (matching
localhost or system hostname or system FQDN).
Updated by Chris Buechler over 5 years ago
- Status changed from New to Confirmed
- Affected Version changed from 2.3 to All
It probably shouldn't write out anything to /etc/hosts or host_entries.conf for the host's own hostname if DHCP Registration and/or Static DHCP in Unbound isn't enabled. If those are, then subject would still be an issue if it's a domain hosted elsewhere with DNSSEC, but that's an unavoidable circumstance and those who are in that situation shouldn't be enabling Unbound's registration.