Alexander Bokovoy asked for a note on the use of Unbound as a slave
resolver to freeipa's bind9+dnssec because of the issues discussed under
Re: [Freeipa-users] Re: Dnssec rejected by Cloudflair, Google, accepted
by Verizon, AT&T
Summarizing: Unbound is just a lot faster than bind9+dnssec,
additionally offering native support for DANE, DNS over tls and etc.
Older hardware running bind9 can't process DNS + DNSSec queries under
the timeout limits used by major public dns resolvers relied upon by
thousands, including mail providers. Unbound can and does.
Steps:
1. Work with existing freeipa tools and documentation to get dnssec
working properly under bind9, validate it using at least two of the
public dnssec diagnostic tools (verisign, etc.).
2. Use global dns performance testing tools to see whether all report
good results from several dozen of the world's public dns resolvers. If
they all report 'green' or 'ok', then your servers are 'fast
enough' and
you don't need this further work (unless you want DANE, dns over tls and
the other things unbound offers).
3. For at least one, and preferably at least as many freeipa
master/slaves identify an ip4 (and ip6) address for use by the unbound
resolver service. It's best if they are in the same subnet as at least
one of the freeipa machine's interfaces and preferably secured for
physical reasons or, second best, encryption.
4. Load those addresses into the 'Allow Transfer' section of Freeipa's
dns domain manager settings window. Be sure reasonable values exist in
every section measured in (seconds). I also chose to edit
/etc/named/ipa-options-ext.conf to 'notify explicit; also-notify { all
freeipa and unbound addresses other than the current host } ;
allow-notify { only freeipa and not unbound addresses; } You might
take the chance to set up acls and make good decisions about rate
limiting and allow-* settings. I found only rebooting freeipa & bind9
caused bind9 to get the updated 'allow transfer' settings from freeipa.
Restarting bind9 alone was not enough.
5. Either in a new network name space on the same host as freeipa or in
a vm on that host, or, well, anywhere really except on the same set of
addresses as freeipa's named daemon: Load unbound and prove up it is
working under default settings using the addresses reserved above.
6. Create a file in unbound.conf.d for access control. I suggest
leading it off with
access-control: 0.0.0.0/0 refuse_non_local
access-control: ::0/0 refuse_non_local
access-control: 127.0.0.0/8 allow_snoop
access-control: ::1 allow_snoop
followed by whatever local address ranges you'd like for full dns
recursive services, such as your 'lan' or equivalent eg
access-control: 10.something.whatnot.0/24 allow
In an related 'options' file, include 'interface' lines for each host
address you want unbound to process incoming queries (your local lan
interface as well), and including at least one of the host addresses you
entered into freeipa above. Include 'outgoing-interface' lines the
interface on the unbound host that matches at least one of the addresses
entered into freeipa.
In another file, or one file per zone, add an 'auth-zone:' section using
'name:' as the zone to support, and 'primary:..." entries for each
freeipa server.
7. Restart unbound. use dig @unbound-serverip to validate proper operation.
8. Change NS records on all servers to be handled by unbound to point to
the unbound's interfaces named in the 'interface' lines above. I chose
to have public IPs point at the unbound supported slave resolvers, and
left all local lan resolution using freeipa, since there was no security
value added by dns over tls & etc owing to the physical site-wire
security. But YMMV.
9. Revalidate proper DNSSEC validation and worldwide resolver
performance/accuracy.
In my case, 'ancient' servers passed all tests using the unbound
frontend with and without dnssec. They also passed using freeipa's
setup without dnssec (nearly always, one in Australia and one in Brazil
would occasionally fail). Freeipa's servers with dnssec passed most of
them, but failed google and cloudflare always, occasionally one or two
others but passed most.
There are a fair few other options to do with performance and features
you can add and manage, well documented by the unbound support folks.
That's it! Hope that helps others.
Harry Coin
https://rockstablesystems.com