pfSense Support Subscription

Author Topic: Periodic since 2.2 pages load blank, certs invalid  (Read 14884 times)

0 Members and 1 Guest are viewing this topic.

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +958/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #120 on: February 10, 2015, 01:42:34 pm »
They will work okay with OpenDNS? - Thanks :)

Goto...
Do NOT PM for help!

Offline 0x10C

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +1/-0
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #121 on: February 10, 2015, 01:53:27 pm »
They will work okay with OpenDNS? - Thanks :)

Goto...

I read that but I just wanted to confirm because I wasn't sure if you mistyped what you said due to the way it was worded.

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +893/-7
    • View Profile
    • Chris Buechler
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #122 on: February 11, 2015, 02:19:07 am »
Okay I've enabled both of those. They will work okay with OpenDNS?

Yes

Online kejianshi

  • Hero Member
  • *****
  • Posts: 4934
  • Karma: +196/-40
  • Debugging...
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #123 on: February 11, 2015, 02:28:16 am »
Just to be clear, with harden glue I see no issue, but I'm not sure that opendns supports DNSSEC, so if forwarding from opendns with DNSSEC enabled, might get "nothing".

I'm not running opendns here, but seems like it didn't support DNSSEC in the past.  Not sure about now.

(For me at least, trying to use DNSSEC with non-DNSSEC capable servers results in DNS failure to resolve)

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +958/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #124 on: February 11, 2015, 05:13:50 am »
Obviously, as already stated multiple times here, hardening features that make use of DNSSEC will do absolutely nothing useful when you are forwarding DNS queries to OpenDNS or any other open DNS server that does not support DNSSEC at all. If you want DNSSEC, stop using OpenDNS.
Do NOT PM for help!

Offline swix

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +1/-0
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #125 on: February 12, 2015, 09:29:56 am »
Final followup here for me (I hope): Unbound 1.5.2rc1 has just been released, http://www.unbound.net/pipermail/unbound-users/2015-February/003774.html

Interesting part of the release notes in our case:

Quote
This release fixes a DNSSEC validation issue when an upstream server
with different trust anchors introduces unsigned records in messages.
 Harden-glue when turned off allows potentially poisonous records in
the cache in the hopes of that enabling DNS resolution for 'impossible
to resolve' domains, it is fixed to have 'less cache poisoning',
quotes added because it is by definition not secure to turn off
harden-glue.  New features are that "inform" can be used to see which
IPs lookup a domain, and unbound-control can use named unix pipes.

According to Chris in Redmine, this should be fixed in 2.2.1.