Hello Team,
I am currently having the following ipfire installation in my house :
- Ipfire acts as my router and the internal DNS for my internal network
- Freeipa has been deployed for SSL and DNS management for my custom Lab Network (with the dns zone .local.lab).
- I set-up Ipfire with the DNS Forwarding zone set to “local.lab” zone to be handle by my freeipa DNS server.
- Multiple VMs and PCs are using as their primary DNS server the Ipfire DNS server
When accessing Internet : no pb it works out of the box. However, when dealing with my “local.lab” servers, it’s another story, even if DNSSEC is enabled on my Freeipa server, everytime I perform a dns query to my ipfire for this particular zone : it fails with the following error message :
14:16:42 unbound: [13396:0] info: validation failure <gitea.local.lab. A IN>: no NSEC3 records from AAA.BBB.CCC.DDD for DS lab. while building chain of trust
14:16:42 unbound: [13396:0] info: validation failure <gitea.local.lab. AAAA IN>: no NSEC3 records from AAA.BBB.CCC.DDD for DS lab. while building chain of trust
14:16:42 unbound: [13396:0] info: validation failure <lab.local.lab. A IN>: key for validation lab. is mark ed as invalid
14:16:42 unbound: [13396:0] info: validation failure <lab.local.lab. A IN>: key for validation lab. is mark ed as invalid
14:16:42 unbound: [13396:0] info: validation failure <gitea.local.lab.local.lab. AAAA IN>: key for validati on lab. is marked as invalid
14:16:42 unbound: [13396:0] info: validation failure <gitea.local.lab.local.lab. A IN>: key for validation lab. is marked as invalid
In order “to fix this issue” I need to disable DNSSEC on my “local.lab” DNS Forwarding zone. Which to be honest (evenif if it’s a home local network) is not secure.
My knowledge with unbound and DNS are pretty low, but as reading the error message, I understand that Unbound need to “trust” my DNSsec record on my ipfire.
How can I perform this operation ?
Thanks for your help.
Best regards,
Nicolas