DNSSEC (Hardened) not supported by many ISPs' DNS servers - check + hint + config should be offered in wizzard #1962
Comments
|
Hi @hutiucip, thanks, will take care of this. :) |
|
@hutiucip upon further reflection, we will disable dnssec-stripped option in the default install and go from there. unbound enables this by default but not dnssec, it's a slippery slope and hopefully a sane tradeoff CC @fabianfrz |
|
@fichtner DNSSEC works best in resolver mode as this is the only way to get a chain of trust. A DNS server working as a forwarder will only see the AD flag, which could be set by anyone (as the data is not signed). |
|
@fabianfrz we are in resolver mode, debating dnssec-stripped usage |
|
I'm reopening this briefly. The system wizard usability was improved. We should add three unbound checkboxes: resolver mode, enable dnssec, dnssec hardening, where only resolver mode is the one that is active by default. That would also mean stripping dnssec from the default. I fear hardening is not enough to take away to really fix it. Feedback welcome. |
|
Works as previously stated. :) |
Hello!
As enough DNS servers/ resolvers don't cope well with DNSSEC, especially if hardened, would it be possible that, after fresh install, the wizzard to check DNS resolution and, if DNS resolution fails, to offer a hint regarding disabling DNSSEC hardened data (most issues), and eventually even disabling DNSSEC completely? Of course, only with informing users that this will lower the security of their OPNsense installation, and that they should properly configure their DNS servers, or to address a request to the DNS provider to enable and properly configure DNSSEC on servers.
Several first time users already had (and future first time users will have) a bad first experience when DNSSEC is not supported by their DNS servers/ resolvers, AND the first impression is (falsely) that OPNsense is at fault.
Thank you!
The text was updated successfully, but these errors were encountered: