OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: SecAficionado on January 27, 2018, 11:01:28 pm
-
Hello,
I have been looking at the details of the DNS configuration in order to enable DNSSEC on my opnsense box. However, I am having trouble getting it to work correctly.
I went to the Services/Unbound DNS/Settings tab and checked the boxes to enable DNNSEC and some hardening options (no version, etc). I click save and everything looks good and happy. In spite of that, when I log into the box and check the contents of /usr/local/etc/unbound, I do not see root.key, icannbundle.pem, or root-anchors.(p7s, xml) files. Unbound has a built in anchor, but their web site recommends getting the latest files.
More concerning, though, I checked the contents of /usr/local/etc/unbound/unbound.conf and none of my selected options were unchecked in the config file. So, now I am wondering if I am even looking at the right place. Is the config file used at all, are these options passed in the command line at startup, or is there another config file I should be inspecting?
I am running opnsense 17.7.12, libressl flavor, on an AMD Athlon 64 x2 box.
Thanks for your help!
P.S. I just saw the thread about updating to 1.6.8 and the instructions provided worked.
-
Some legacy pages write the config to /var - I hope that will be migrated some day.
-
Ah, there it is! Thanks! I will continue exploring :D
I hope that will be migrated some day.
Yes, me too
-
I'm unsure what the request is here... we have a checkbox for DNSSEC... is this missing functionality?
-
Hi Franco,
Thanks for checking in. The request is to migrate Unbound's folders from /var to /usr/local/etc/, as the application expects by default. Alternatively, we could add text in the help section, or somewhere else, indicating where the config files reside.
I've never looked at the code base, but if you point me in the right direction, I'd be happy to take a peek and see how hard that would be for a n00b like me.
Thanks!!
-
More concerning, though, I checked the contents of /usr/local/etc/unbound/unbound.conf and none of my selected options were unchecked in the config file. So, now I am wondering if I am even looking at the right place. Is the config file used at all, are these options passed in the command line at startup, or is there another config file I should be inspecting?
I had a similar "problem" trying to understand the implementation of dnsmasq. None of its config files seemed to reflect the settings I had selected in the GUI. I then noticed (using ps aux I think) that the options I selected in the GUI are being passed directly to dnsmasq as command options.
I haven't had time to experiment with unbound but I'm guessing the same may be happening there.
For dnsmasq I just added an extra option in the GUI under Dnsmasq > Settings > Advanced : conf-dir=/usr/local/etc/dnsmasq.d/,*.conf. This allows me to add any additonal options I want in a separate file.
Hope this helps.
-
Hi SecAficionado,
Unbound is pretty lax in the way that it allows advanced config file contents from the advanced configuration GUI field. That is how most things can be done directly from there. I would have to ask again how DNSSEC is not working for you given the GUI switch has been there for a long time and at least for 17.7 was the default? Or are you following a particular command line FreeBSD tutorial (e.g. Calomel)?
Dnsmasq is similar in integration, but mainly works via command line argument additions like mausy suggests.
Generally, we try to avoid telling users about configuration files, enforce integrity through rewriting configurations, talking over the service in a way that is hard to override to be able to provide a safety net against misconfiguration.
With that in mind we ask about what special features users look for and would rather implement them in the GUI directly. The turnaround time on those is usually not that bad with a patch being provided quickly as an intermediate solution for the requester.
Cheers,
Franco