OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • Solved - Bind DNSSEC localdomain
« previous next »
  • Print
Pages: [1]

Author Topic: Solved - Bind DNSSEC localdomain  (Read 1159 times)

RamSense

  • Hero Member
  • *****
  • Posts: 595
  • Karma: 10
    • View Profile
Solved - Bind DNSSEC localdomain
« on: December 16, 2023, 06:54:42 pm »
I have Bind running and Adguard home. In Adguard I get a green-lock when an external domain of mine is validated with dnssec.
Is there an how to, on thow to do this with localdomain in bind? for localdomain.com ?
I would like this to avoid dns sniffing on local connections, has someone experience with this?

thanks for the help!
« Last Edit: December 17, 2023, 06:59:38 pm by RamSense »
Logged

RamSense

  • Hero Member
  • *****
  • Posts: 595
  • Karma: 10
    • View Profile
Re: Bind DNSSEC localdomain
« Reply #1 on: December 17, 2023, 08:27:30 am »
Ok, a bit further i think. I found this guide and explanation: https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf

With chapter 4 - 4.1.3 and cheking with the delv command I got another result:

Quote
delv @192.168.1.1 -a /var/cache/localdomain.com.key +root=localdomain.com localdomain.com. SOA +multiline
;; /var/cache/localdomain.com.key:1: option 'trusted-keys' is deprecated
;; validating localdomain.com/SOA: got insecure response; parent indicates it should be secure
;; insecurity proof failed resolving 'localdomain.com/SOA/IN': 192.168.1.1#53
;; resolution failed: insecurity proof failed

first line trusted-keys is deprecated i found elsewhere: From version 9.16.0, the 'trusted-keys' and 'managed-keys' statements are deprecated, and only the replacement options 'static-key' and 'initial-key' should be used (within the 'trust-anchors' statement). If the trust anchors aren't available in DNSKEY format, but only in DS format (as with new root trust anchors announced but not yet published by IANA), you can use them with the options 'static-ds' and 'initial-ds'..

but when i use static-key, initial-key, static-ds or initial-ds, it does not recognize it. (opnsense bind does not yet support it?) so i sticked to trusted-keys

but i do not get the:
fully validated
result. what am I missing?

Quote
IN DNSKEY => empty (?)

dig DNSKEY localdomain.com @localhost +multiline

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30932
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;localdomain.com.      IN DNSKEY

;; AUTHORITY SECTION:
localdomain.com.      3158 IN   SOA localhost. info.localdomain.com. (
            2312171219 ; serial
            21600      ; refresh (6 hours)
            3600       ; retry (1 hour)
            3542400    ; expire (5 weeks 6 days)
            3600       ; minimum (1 hour)
            )

;; Query time: 0 msec
;; SERVER: ::1#53(localhost) (UDP)
;; WHEN: Sun Dec 17 12:31:17 CET 2023
;; MSG SIZE  rcvd: 104
« Last Edit: December 17, 2023, 12:35:06 pm by RamSense »
Logged

RamSense

  • Hero Member
  • *****
  • Posts: 595
  • Karma: 10
    • View Profile
Re: Bind DNSSEC localdomain
« Reply #2 on: December 17, 2023, 06:58:07 pm »
Got the
; fully validated

now back. Again one step further. Looks like it took some time to propogate, what I did not expect using bind and a domain locally.

now trying to get the
flags: ad

got it now also. solved
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • Solved - Bind DNSSEC localdomain
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2