Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: RamSense on December 16, 2023, 06:54:42 PM

Title: Solved - Bind DNSSEC localdomain
Post by: RamSense on December 16, 2023, 06:54:42 PM
I have Bind running and Adguard home. In Adguard I get a green-lock when an external domain of mine is validated with dnssec.
Is there an how to, on thow to do this with localdomain in bind? for localdomain.com ?
I would like this to avoid dns sniffing on local connections, has someone experience with this?

thanks for the help!
Title: Re: Bind DNSSEC localdomain
Post by: RamSense on December 17, 2023, 08:27:30 AM
Ok, a bit further i think. I found this guide and explanation: https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf (https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf)

With chapter 4 - 4.1.3 and cheking with the delv command I got another result:

Quotedelv @192.168.1.1 -a /var/cache/localdomain.com.key +root=localdomain.com localdomain.com. SOA +multiline
;; /var/cache/localdomain.com.key:1: option 'trusted-keys' is deprecated
;; validating localdomain.com/SOA: got insecure response; parent indicates it should be secure
;; insecurity proof failed resolving 'localdomain.com/SOA/IN': 192.168.1.1#53
;; resolution failed: insecurity proof failed

first line trusted-keys is deprecated i found elsewhere: From version 9.16.0, the 'trusted-keys' and 'managed-keys' statements are deprecated, and only the replacement options 'static-key' and 'initial-key' should be used (within the 'trust-anchors' statement). If the trust anchors aren't available in DNSKEY format, but only in DS format (as with new root trust anchors announced but not yet published by IANA), you can use them with the options 'static-ds' and 'initial-ds'..

but when i use static-key, initial-key, static-ds or initial-ds, it does not recognize it. (opnsense bind does not yet support it?) so i sticked to trusted-keys

but i do not get the:
fully validated
result. what am I missing?

QuoteIN DNSKEY => empty (?)

dig DNSKEY localdomain.com @localhost +multiline

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30932
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;localdomain.com.      IN DNSKEY

;; AUTHORITY SECTION:
localdomain.com.      3158 IN   SOA localhost. info.localdomain.com. (
            2312171219 ; serial
            21600      ; refresh (6 hours)
            3600       ; retry (1 hour)
            3542400    ; expire (5 weeks 6 days)
            3600       ; minimum (1 hour)
            )

;; Query time: 0 msec
;; SERVER: ::1#53(localhost) (UDP)
;; WHEN: Sun Dec 17 12:31:17 CET 2023
;; MSG SIZE  rcvd: 104
Title: Re: Bind DNSSEC localdomain
Post by: RamSense on December 17, 2023, 06:58:07 PM
Got the
; fully validated

now back. Again one step further. Looks like it took some time to propogate, what I did not expect using bind and a domain locally.

now trying to get the
flags: ad

got it now also. solved
Text only | Text with Images