I am sure that I am probably doing something wrong here, but I have exhausted my troubleshooting ability. I just switched to OPNsense from pfsense and started having issues with Cert-Manager on my Kubernetes cluster.
Locally I have an internal DNS record for my-domain.tld and I am trying to get a certificate for it, when Cert-Manager asks for the TXT record however, it gets an empty response. If I query my forwarding server directly I can see it. (my-domain.tld is just a stand in)
Now, if I turn off the local override, the TXT record does in fact resolve like it should.
I have tried changing the Local Zone Type to TYPETRANSPARENT instead of just TRANSPARENT but it does not seem to have made a difference.
My DIG outputs are as follows:
=== With the local override ===
; <<>> DiG 9.18.20 <<>> @10.100.4.1 my-domain.tld TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10477
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;my-domain.tld. IN TXT
;; Query time: 0 msec
;; SERVER: 10.100.4.1#53(10.100.4.1) (UDP)
;; WHEN: Fri Dec 22 19:56:23 EST 2023
;; MSG SIZE rcvd: 46
=== Without the local override ===
; <<>> DiG 9.18.20 <<>> @10.100.4.1 status.unit15.net TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59550
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;my-domain.tld. IN TXT
;; ANSWER SECTION:
my-domain.tld. 300 IN TXT "This is a test"
;; Query time: 112 msec
;; SERVER: 10.100.4.1#53(10.100.4.1) (UDP)
;; WHEN: Fri Dec 22 19:56:13 EST 2023
;; MSG SIZE rcvd: 73
Any help would be greatly appreciated. Thanks!
That's by design, as mentioned in the help text on the host overrides page:
QuoteKeep in mind that all resource record types (i.e. A, AAAA, MX, etc. records) of a specified host below are being overwritten.
Cheers
Maurice
I understand that this is by design but is there an option to create local TXT records? I can't seem to find it.
Unbound is a recursive DNS server, it can't add all types of records. For that you would need a proper split dns zone with bind for example.
I know that split horizon dns zones might look like the easiest option, but you might want to look into configuring hairpin NAT instead. Then you can always use your authorative DNS server instead of overriding records with a recursive one.
And you will have much less pain in the future because the setup just works flawlessly once configured.
https://docs.opnsense.org/manual/how-tos/nat_reflection.html
Thanks a lot @Monviech. I will take a look. I probably found a workaround for issue I was facing (mail server and DKIM, SPF, DMARC records) but I might bump in to this later anyways :)