Date: Mon, 20 Jun 2011 06:17:23 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@freebsd.org Subject: Re: dnssec with freebsd's resolver(3) Message-ID: <4DFED7E3.8080203@infracaninophile.co.uk> In-Reply-To: <20110620003727.GB25579@emmi.physik-pool.tu-berlin.de> References: <20110620003727.GB25579@emmi.physik-pool.tu-berlin.de>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On 20/06/2011 01:37, Leon Meßner wrote:
> does the freebsd resolver(3) support sending the DO bit in queries and
> thus do DNSSEC validation ? I tried using ssh with SSHFP RR's in a
> signed zone but i still get the "insecure Key" message from ssh on
> FreeBSD (works on some other OS).
My understanding is that the stub resolver in the base system does not
handle any DNSSEC functionality. It's not clear (at least to me) that
DO bit processing in stub resolvers is very useful -- without support in
the recursive resolver you use upstream, it won't work, but if your
recursive resolver does DO processing, then you don't need it in your
stub resolver.
named(8) in the base system is DNSSEC capable, but if you want to run an
authoritative server with the data signed using DNSSEC then you should
probably run one the dns/bind98 port due to the much improved key
handling support in mor recent BIND versions.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3+1+sACgkQ8Mjk52CukIzQfACfSehH7temsN4IchQ2QvhnYvfB
5VcAnjbuLnzxZFGMfYEPn6JNgeOLAUaN
=S0W6
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4DFED7E3.8080203>