Date: Thu, 23 Jun 2011 20:23:46 +0200 From: Leon =?iso-8859-15?Q?Me=DFner?= <l.messner@physik.tu-berlin.de> To: freebsd-questions@freebsd.org Subject: Re: dnssec with freebsd's resolver(3) Message-ID: <20110623182346.GD74606@emmi.physik-pool.tu-berlin.de> In-Reply-To: <4E026568.4020206@infracaninophile.co.uk> References: <CA27B492.C80F%eosterweil@verisign.com> <4E026568.4020206@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
This mail got only send to Matthew because of bad time of day ;) On Wed, Jun 22, 2011 at 10:58:00PM +0100, Matthew Seaman wrote: > On 22/06/2011 20:02, Osterweil, Eric wrote: > > > > > > > > On 6/22/11 2:56 PM, "Leon Meßner" <l.messner@physik.tu-berlin.de> wrote: > > > >> On Mon, Jun 20, 2011 at 06:17:23AM +0100, Matthew Seaman wrote: > >>> On 20/06/2011 01:37, Leon Meßner wrote: > >>>> does the freebsd resolver(3) support sending the DO bit in queries and > >>>> thus do DNSSEC validation ? I tried using ssh with SSHFP RR's in a > >>>> signed zone but i still get the "insecure Key" message from ssh on > >>>> FreeBSD (works on some other OS). > >>> > >>> My understanding is that the stub resolver in the base system does not > >>> handle any DNSSEC functionality. It's not clear (at least to me) that > >>> DO bit processing in stub resolvers is very useful -- without support in > >>> the recursive resolver you use upstream, it won't work, but if your > >>> recursive resolver does DO processing, then you don't need it in your > >>> stub resolver. > >> > >> Ok, my recursive resolver does DO processing. How do i tell ssh to set > >> the bit ? Doesn't ssh use my base system stub resolveer to query my in > >> resolv.conf configured DNS ? > > > > I'm not sure what you mean by "DO processing," but validation requires a > > little more than issuing queries w/ the DO bit set (that has been the > > default in BIND for a while). You need to have the root (or some other) > > trust-anchor configured, and you need to enable DNSSEC validation in your > > named.conf. > > > > Only after that will you see the AD bit at the stub. > > Actually, typically with a correctly configured validating resolver, as > an end user issuing queries from the system's stub resolver, you'll only > see responses with data that is either: > > -- completely unsigned > > -- signed, and that validates correctly > > Data that doesn't validate correctly is discarded. Better make sure > your DNSSEC setup is correctly maintained and updated, or your domains > may effectively disappear from the net. > > "validates correctly" is a function of how your recursive resolver is > configured: for instance, you will probably want to trust DLV secured > data until authentication paths up to the root become more prevalent in > all corners of the DNS. The only thing i want to do at the moment is serve my local zone to my local clients. If i do % dig @dns +dnssec rosa.physik-pool.tu-berlin.de i get ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 3 and also i can see the D0 bit set when looking at the tcpdump. If i now use the stub resolver through telnet/ssh the D0 bit does _not_ get set in the query. So there is no way for the recursive NS to supply AD data, right ? thanks for helping the blind. Leon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110623182346.GD74606>