Hi, during testing I found that after a reboot the Startpage suddenly shows "WARNING: DNSSEC has been disabled" - but its ENABLED. Every DNSSEC resolver test is OK and "Status (network external)" shows both nameservers as "DNSSEC Validating". '/etc/unbound/unbound.conf' contains: ... # DNSSEC auto-trust-anchor-file: "/var/lib/unbound/root.key" val-permissive-mode: no ... Restarting 'unbound' had no effect, the file '/var/ipfire/red/dnssec-status' still says "off": ... root@ipfire: /etc/init.d # /etc/init.d/unbound restart Stopping Unbound DNS Proxy... [ OK ] Starting Unbound DNS Proxy... [ OK ] Configuring upstream name server(s): 84.200.69.80 84.200.70.40 [ OK ] ... Perhaps some bug in http://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=183b23b5ca703bd0ee837e135c84a9b91b1fcb91 ? Best, Matthias
Hi, Addendum: I manually changed '/var/ipfire/red/dnssec-status' to 'on'. Warning is gone and restarting 'unbound' didn't change that. File still contains 'on'. Best, Matthias
Next addendum: After rebooting, '/var/ipfire/red/dnssec-status' is 'off' again. Testing my nameservers shows: ... root@ipfire: /etc/init.d # /etc/init.d/unbound test-name-server 84.200.69.80 84.200.69.80 is validating 84.200.69.80 supports TCP fallback EDNS buffer size for 84.200.69.80: 4096 root@ipfire: /etc/init.d # /etc/init.d/unbound test-name-server 84.200.70.40 84.200.70.40 is validating 84.200.70.40 supports TCP fallback EDNS buffer size for 84.200.70.40: 4096 root@ipfire: /etc/init.d # /etc/init.d/unbound update-forwarders Configuring upstream name server(s): 84.200.69.80 84.200.70.40 [ OK ] root@ipfire: /etc/init.d # /etc/init.d/unbound restart Stopping Unbound DNS Proxy... [ OK ] Starting Unbound DNS Proxy... [ OK ] Configuring upstream name server(s): 84.200.69.80 84.200.70.40 [ OK ] root@ipfire: /etc/init.d # cat /var/ipfire/red/dnssec-status off ... Anything else I could do? Best, Matthias
Workaround: I changed line 440 in '/etc/init.d/unbound'. From: [ "${status}" = "no" ] && return 0 To: [ "x${status}" = "xno" ] Works for me. For a test, I deleted '/var/ipfire/red/dnssec-status' and ran '/wtc/init.d/update-forwarders'. File was created containing "on", warning is gone, DNSSEC is enabled (as it always was). Best, Matthias
Sorry, too many typos in last message: I meant: ... For a test, I deleted '/var/ipfire/red/dnssec-status' and ran '/etc/init.d/unbound update-forwarders'. ...
Hi, Could someone please test and/or confirm? There are two forum posts by now dealing with this warning: https://forum.ipfire.org/viewtopic.php?f=22&t=18632 and https://forum.ipfire.org/viewtopic.php?f=22&t=18629 Best, Matthias
The fix is slightly different and will be shipped with C111. Please test to confirm. http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=094a27c8f9bf39b5b5b6df1a28d976d9f52e776f
Hi, Below my test results so far, all commands were started one after another, no reboot. 1. Stopping 'unbound' (no problems, immediate response): root@ipfire: /etc/init.d # /etc/init.d/unbound stop Stopping Unbound DNS Proxy... [ OK ] 2. Updating forwarders (took a long time, ~60 sec., some errors(?)): root@ipfire: /etc/init.d # /etc/init.d/unbound update-forwarders Configuring upstream name server(s): 84.200.69.80 84.200.70.40 [ OK ] [1493559056] unbound-control[17495:0] error: connect: Connection refused for 127.0.0.1 [1493559056] unbound-control[17496:0] error: connect: Connection refused for 127.0.0.1 [1493559056] unbound-control[17497:0] error: connect: Connection refused for 127.0.0.1 [1493559056] unbound-control[17498:0] error: connect: Connection refused for 127.0.0.1 3. Deleted '/var/ipfire/red/dnssec-status', followed by starting 'unbound' (took a long time, EDNS reduced): root@ipfire: /etc/init.d # /etc/init.d/unbound start Starting Unbound DNS Proxy... [ OK ] EDNS buffer size reduced to [ WARN ] Configuring upstream name server(s): 84.200.69.80 84.200.70.40 [ OK ] 4. Followed by restarting 'unbound' (a lot faster, no EDNS warning): root@ipfire: /etc/init.d # /etc/init.d/unbound restart Stopping Unbound DNS Proxy... [ OK ] Starting Unbound DNS Proxy... [ OK ] Configuring upstream name server(s): 84.200.69.80 84.200.70.40 [ OK ] 5. Testing forwarders again, now one DNS is suddenly "broken"(!?): root@ipfire: /etc/init.d # /etc/init.d/unbound update-forwarders Ignoring broken upstream name server(s): 84.200.70.40 [ WARN ] Configuring upstream name server(s): 84.200.69.80 [ OK ] 6. Testing name server DNS 1: root@ipfire: /etc/init.d # /etc/init.d/unbound test-name-server 84.200.69.80 84.200.69.80 is validating 84.200.69.80 supports TCP fallback EDNS buffer size for 84.200.69.80: 4096 7. Testing name server DNS 2 (seems to have problems!?): root@ipfire: /etc/init.d # /etc/init.d/unbound test-name-server 84.200.70.40 Test failed for an unknown reason 8. Second try for DNS 2: root@ipfire: /etc/init.d # /etc/init.d/unbound test-name-server 84.200.70.40 84.200.70.40 is DNSSEC-aware 84.200.70.40 supports TCP fallback EDNS buffer size for 84.200.70.40: 2048 It seems that DNSSEC validation is not always working properly, it could be that DNS-Watch currently has some problems. System is running anyway. '/var/ipfire/red/dnssec-status' is "on", startpage ok. Status / Network (external) just showed 84.200.69.80 as "not validating", this changed to "DNSSEC Validating" after the next try. Best, Matthias
Hi, I changed DNS-Servers and made some tests again as listed above: no problems with 'dnssec-status'-file found so far. Seems to work now. Best, Matthias
I can confirm this problem on one of my systems. Strangely, the other (which is very similarly configured) does not do this. Here are the differences I'm aware of between the two systems: Problematic IPFire: -static IP from ISP -uses Norton DNS servers (199.85.126.20, 199.85.127.20) IPFire without this bug: -dynamic IP from ISP -uses Google DNS servers (8.8.8.8, 8.8.4.4) Both sets of DNS servers support DNSSEC. Both IPFires use the same unbound adblocking script: https://github.com/sfeakes/ipfire-scripts/blob/master/dns_blocklist.sh
One more difference I remembered: the problematic IPFire (with this bug) has DHCP turned off (it's handled by Windows Server). The IPFire without the issue (the same one with dynamic IP and Google DNS servers) also is the DHCP server.
I have tested Michael's change and can confirm it corrects the problem on the firewall systems which displayed the problem. It also did not create any problems on systems which were working correctly.
How do I implement this change, or do I need to wait for core 111. It looks like a text file can be edited, but not sure which one or where it is.
Shipped in c111