DNSSEC Not Working

I have Freedombox running on an Atomic Pi, and am having issues with DNSSEC not working properly. I have DNSSEC enabled for my domain, and I know that it is working, as I have run the diagnostic tool at http://dnssec-debugger.verisignlabs.com.

Problem Description
When running diagnostics on my Freedombox, I got the following errors:
DNSSEC on IPv4 |failed|
DNSSEC on IPv6 |failed|

Steps to Reproduce

  1. Login to FreedomBox.
  2. Click on System Tab
  3. Click on either the Diagnostics app or the Network app.
  4. Click the Run Diagnostics button.
  5. Wait for diagnostics to finish running.
  6. Observe diagnostic output.

Expected Results
I expected to see a message confirming the DNSSEC was working (passed).

Actual results
I get an error with no messages.

Screenshot

Information

  • FreedomBox version: 19.1

  • Hardware: Atomic Pi on Debian Buster AMD_64

  • How did you install FreedomBox?: ‘apt install freedombox-setup’

For your problem, there are three separate issues:

  1. DNSSEC support for your domain. This is useful for people visiting your domain. FreedomBox does not check for this.
  2. DNSSEC support for all domains that FreedomBox tries to connect to. For this to work, your ISP (or router depending on how things are configured) must be providing DNS servers that are capable of performing DNSSEC resolutions. This is what is checked by diagnostic tests. Specifically, we are running dig -4 +time=2 +tries=1 test.dnssec-or-not.net TXT and checking if the response has Yes, you are running DNSSEC. This test could be outdated or buggy. You can ignore these test results and use other mechanisms to determine if your FreedomBox is using DNSSEC for resolutions.
  3. Finally, if you want to use FreedomBox as your recursive DNS resolver, then we have bind server available on FreedomBox. You can configure machines on your local network to use this DNS server to avail DNSSEC feature. An option to enable DNSSEC in bind is available from bind application page. FreedomBox itself does not yet use bind for its resolutions currently.

Out of curiosity, did you use FreedomBox amd64 images or install using Debian on your Atomic Pi?

1 Like

Sunil,
Thank you for the reply,and I installed Debian Buster first, then ran apt install freedombox-setup from the command line.

Sunil,
Just one more thing, I noticed that /etc/resolv.conf is subject to being overwritten by other mechanisms, how do I point my Freedombox to specific DNS resolvers?

Nevermind, I found the requested settings in the bind application page.

The diagnostics are also failing for me. Although if I visit http://dnssec-or-not.net/ in a browser, is says everything is working.

jvalleroy@pioneer:~$ dig -4 +time=2 +tries=1 test.dnssec-or-not.net TXT

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> -4 +time=2 +tries=1 test.dnssec-or-not.net TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64959
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.dnssec-or-not.net.		IN	TXT

;; AUTHORITY SECTION:
dnssec-or-not.net.	3468	IN	SOA	ns.packet-pushers.com. root.packet-pushers.com. 1563390421 3600 300 604800 3600

;; Query time: 1 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Jul 18 06:11:41 EDT 2019
;; MSG SIZE  rcvd: 113
1 Like

I can confirm. Created a bug for the problem: https://salsa.debian.org/freedombox-team/plinth/issues/1607

1 Like

Thanks for that information. The reason I asked is that if you used the AMD64 FreedomBox image and if it worked as expected, then we could advertise support for this board in our hardware list. Atomic Pi is interesting hardware due to its CPU speed and price point. If you ever get a chance to test the FreedomBox image on this board, do report it. I will add the information to the manual.

1 Like

If you change this setting the bind’s configuration page, it should only affect how bind does it’s resolutions, if I understand it correctly.

The way to set the configuration for /etc/resolv.conf is determined by you configured your network interface. If you used network manager to do that, then you will find the setting in FreedomBox UI for network manager or when using the command line tools nmtui or nmcli. However, since you installed Debian first, you have likely configured the interface in /etc/network/interfaces and you are likely using the program resolvconf to manage your /etc/resolv.conf. In this case, add a line similar to the following line in /etc/network/interfaces.

dns-nameservers 12.34.56.78 12.34.56.79

More information at https://wiki.debian.org/NetworkConfiguration#Defining_the_.28DNS.29_Nameservers

1 Like

Sunil, I did just that (after reading your poston the emmc vs sdcard read speeds), and could not get the Atomic Pi to boot. I think it has something to do with UEFI boot settings in the image, as I had to force UEFI boot on the first partition in order to get th Atomic Pi to boot Debian correctly.

Thanks a lot for the test report.

I think this is somewhat expected. FreedomBox images are currently not built for UEFI booting. (the partition table inside is MBR partition table, grub package is grub-pc instead of grub-efi and there is not EFI boot partition available). Some systems detect the MBR partition table and fall back to traditional booting. In case of Atomic Pi, I suppose you had to disable UEFI booting and fallback to traditional booting.

First, we can document this quirk and advertise support for Atomic Pi with our amd64 image. Then we can work on building a proper UEFI image that does not need meddling with UEFI settings.

1 Like

Sunil, I’ll be happy to help! Just let me know what is needed… I will look into the BIOS settings on the Atomic Pi when I get a chance, and report back.

Great! Please provide the exact steps for UEFI boot configuration change you made to get it to work. Then we will create a hardware wiki page similar to one for APU. If we don’t get a free licensed picture you can provide a picture of your board :slight_smile: We will make a public announcement.

After that we can start hacking code in freedom-maker. If you are a coder, you can take a jab at it. Otherwise, I will try to make the necessary changes and you can test the output image.

1 Like

I’m Going to post this as a new topic in the Development section, so the subject matter is pertinent to the discussion.