OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: ruggerio on March 19, 2018, 12:58:25 pm

Title: RFC Unbound: CNAMES
Post by: ruggerio on March 19, 2018, 12:58:25 pm
Hello,

CNAMES are commonly used in Network Environments. Could you please add the Option in unbound to add CNAME's to existing A-Records?

Thanks,
Roger
Title: Re: RFC Unbound: CNAMES
Post by: franco on March 20, 2018, 07:21:56 am
Hi Roger,

As a starting point... CNAME support was brought in and backed out again last year:

https://github.com/opnsense/core/pull/1617#issuecomment-299665206

Not sure what the state is now, but it was done at the contributor's request over concerns with the correctness in Unbound itself.


Cheers,
Franco
Title: Re: RFC Unbound: CNAMES
Post by: ruggerio on March 20, 2018, 07:22:13 am
Sorry about this.

After researching lots, i found, that unbound is no 100% the choose for this.

I changed to dnsmasq, which i know from Linux, it brings the functionality.

Question: is the actual implementation from dnsmasq in opnsense using dnssec?

Thx,
Roger
Title: Re: RFC Unbound: CNAMES
Post by: franco on March 20, 2018, 07:29:50 am
DNSSEC is not yet implemented in Dnsmasq in OPNsense so far. That was one of the reasons for switching to Unbound as the default last year, although DNSSEC had to be backed out of default installs because too many providers mess with user DNS in the first place.


Cheers,
Franco
Title: Re: RFC Unbound: CNAMES
Post by: ruggerio on March 20, 2018, 07:41:34 am
Thx Franco,

Do exist plans to implement dnssec in dnsmasq for opnsense?

Thx,
Roger
Title: Re: RFC Unbound: CNAMES
Post by: franco on March 20, 2018, 07:43:11 am
Yes, why not. although I'd kindly ask for a ticket and subsequent help in testing:

https://github.com/opnsense/core/issues

Best case also help in providing the configuration bits necessary to move this along quickly. :)


Cheers,
Franco
Title: Re: RFC Unbound: CNAMES
Post by: ruggerio on March 20, 2018, 08:08:47 am
Hi Franco,

Sorry, new to those processes :)

add DNSSEC-Support to DNSMASQ  #2275

Of course i will help testing it.

Thx
Roger