From owner-freebsd-questions@FreeBSD.ORG Thu Jun 23 18:23:53 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (unknown [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E97D8106566C for ; Thu, 23 Jun 2011 18:23:52 +0000 (UTC) (envelope-from elon@emmi.physik-pool.tu-berlin.de) Received: from emmi.physik-pool.tu-berlin.de (emmi.physik-pool.tu-berlin.de [130.149.58.146]) by mx1.freebsd.org (Postfix) with ESMTP id 90F458FC1C for ; Thu, 23 Jun 2011 18:23:51 +0000 (UTC) Received: from emmi.physik-pool.tu-berlin.de (localhost.physik-pool.tu-berlin.de [127.0.0.1]) by emmi.physik-pool.tu-berlin.de (8.14.4/8.14.4) with ESMTP id p5NINmTk032392 for ; Thu, 23 Jun 2011 20:23:50 +0200 (CEST) (envelope-from elon@emmi.physik-pool.tu-berlin.de) Received: (from elon@localhost) by emmi.physik-pool.tu-berlin.de (8.14.4/8.14.4/Submit) id p5NINk7G032391 for freebsd-questions@freebsd.org; Thu, 23 Jun 2011 20:23:46 +0200 (CEST) (envelope-from elon) Date: Thu, 23 Jun 2011 20:23:46 +0200 From: Leon =?iso-8859-15?Q?Me=DFner?= To: freebsd-questions@freebsd.org Message-ID: <20110623182346.GD74606@emmi.physik-pool.tu-berlin.de> Mail-Followup-To: freebsd-questions@freebsd.org References: <4E026568.4020206@infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4E026568.4020206@infracaninophile.co.uk> User-Agent: Mutt/1.5.20 (2009-06-14) Subject: Re: dnssec with freebsd's resolver(3) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2011 18:23:53 -0000 This mail got only send to Matthew because of bad time of day ;) On Wed, Jun 22, 2011 at 10:58:00PM +0100, Matthew Seaman wrote: > On 22/06/2011 20:02, Osterweil, Eric wrote: > > > > > > > > On 6/22/11 2:56 PM, "Leon Meßner" wrote: > > > >> On Mon, Jun 20, 2011 at 06:17:23AM +0100, Matthew Seaman wrote: > >>> On 20/06/2011 01:37, Leon Meßner wrote: > >>>> does the freebsd resolver(3) support sending the DO bit in queries and > >>>> thus do DNSSEC validation ? I tried using ssh with SSHFP RR's in a > >>>> signed zone but i still get the "insecure Key" message from ssh on > >>>> FreeBSD (works on some other OS). > >>> > >>> My understanding is that the stub resolver in the base system does not > >>> handle any DNSSEC functionality. It's not clear (at least to me) that > >>> DO bit processing in stub resolvers is very useful -- without support in > >>> the recursive resolver you use upstream, it won't work, but if your > >>> recursive resolver does DO processing, then you don't need it in your > >>> stub resolver. > >> > >> Ok, my recursive resolver does DO processing. How do i tell ssh to set > >> the bit ? Doesn't ssh use my base system stub resolveer to query my in > >> resolv.conf configured DNS ? > > > > I'm not sure what you mean by "DO processing," but validation requires a > > little more than issuing queries w/ the DO bit set (that has been the > > default in BIND for a while). You need to have the root (or some other) > > trust-anchor configured, and you need to enable DNSSEC validation in your > > named.conf. > > > > Only after that will you see the AD bit at the stub. > > Actually, typically with a correctly configured validating resolver, as > an end user issuing queries from the system's stub resolver, you'll only > see responses with data that is either: > > -- completely unsigned > > -- signed, and that validates correctly > > Data that doesn't validate correctly is discarded. Better make sure > your DNSSEC setup is correctly maintained and updated, or your domains > may effectively disappear from the net. > > "validates correctly" is a function of how your recursive resolver is > configured: for instance, you will probably want to trust DLV secured > data until authentication paths up to the root become more prevalent in > all corners of the DNS. The only thing i want to do at the moment is serve my local zone to my local clients. If i do % dig @dns +dnssec rosa.physik-pool.tu-berlin.de i get ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 3 and also i can see the D0 bit set when looking at the tcpdump. If i now use the stub resolver through telnet/ssh the D0 bit does _not_ get set in the query. So there is no way for the recursive NS to supply AD data, right ? thanks for helping the blind. Leon