From owner-freebsd-questions@FreeBSD.ORG  Mon Jun 20 05:17:36 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5617F106566B
	for <freebsd-questions@freebsd.org>;
	Mon, 20 Jun 2011 05:17:36 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1:3fd3:cd67:fafa:3d78])
	by mx1.freebsd.org (Postfix) with ESMTP id B57CA8FC13
	for <freebsd-questions@freebsd.org>;
	Mon, 20 Jun 2011 05:17:35 +0000 (UTC)
Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk
	[81.187.76.163]) (authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id
	p5K5HVP6007702
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO)
	for <freebsd-questions@freebsd.org>;
	Mon, 20 Jun 2011 06:17:32 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk p5K5HVP6007702
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=infracaninophile.co.uk; s=201001-infracaninophile; t=1308547052;
	bh=xY4kNzzkD14czvOYskFDWVKIg7a1en4aiuzXjN1rf7w=;
	h=Message-ID:Date:From:MIME-Version:To:Subject:References:
	In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To:
	Message-ID:Mime-Version:References:To;
	z=Message-ID:=20<4DFED7E3.8080203@infracaninophile.co.uk>|Date:=20M
	on,=2020=20Jun=202011=2006:17:23=20+0100|From:=20Matthew=20Seaman=
	20<m.seaman@infracaninophile.co.uk>|User-Agent:=20Mozilla/5.0=20(M
	acintosh=3B=20U=3B=20Intel=20Mac=20OS=20X=2010.6=3B=20en-US=3B=20r
	v:1.9.2.17)=20Gecko/20110414=20Thunderbird/3.1.10|MIME-Version:=20
	1.0|To:=20freebsd-questions@freebsd.org|Subject:=20Re:=20dnssec=20
	with=20freebsd's=20resolver(3)|References:=20<20110620003727.GB255
	79@emmi.physik-pool.tu-berlin.de>|In-Reply-To:=20<20110620003727.G
	B25579@emmi.physik-pool.tu-berlin.de>|X-Enigmail-Version:=201.1.1|
	OpenPGP:=20id=3D60AE908C|Content-Type:=20multipart/signed=3B=20mic
	alg=3Dpgp-sha1=3B=0D=0A=20protocol=3D"application/pgp-signature"=3
	B=0D=0A=20boundary=3D"------------enig8E300474AEE1E5D64425BA78";
	b=CC7m+tAuZaTZi0R5mWruAXNLJuT+fDTlukplGDJO9Bs2oEtMmjF1LJOSjG0GzFVwg
	kWVe0gkloxXUfXf3Bh2rMeDtOTjt7P7p7CMooSpds4yjXKg/xKlm6MOjTDWLIXbqze
	22RqbuQt0OFV0BxnMGwstCLqvcSKmnmxAREMu1kc=
Message-ID: <4DFED7E3.8080203@infracaninophile.co.uk>
Date: Mon, 20 Jun 2011 06:17:23 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
	rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
References: <20110620003727.GB25579@emmi.physik-pool.tu-berlin.de>
In-Reply-To: <20110620003727.GB25579@emmi.physik-pool.tu-berlin.de>
X-Enigmail-Version: 1.1.1
OpenPGP: id=60AE908C
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enig8E300474AEE1E5D64425BA78"
X-Virus-Scanned: clamav-milter 0.97 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_20,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,SPF_FAIL autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	lucid-nonsense.infracaninophile.co.uk
Subject: Re: dnssec with freebsd's resolver(3)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2011 05:17:36 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig8E300474AEE1E5D64425BA78
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 20/06/2011 01:37, Leon Me=DFner wrote:
> does the freebsd resolver(3) support sending the DO bit in queries and
> thus do DNSSEC validation ? I tried using ssh with SSHFP RR's in a
> signed zone but i still get the "insecure Key" message from ssh on
> FreeBSD (works on some other OS).

My understanding is that the stub resolver in the base system does not
handle any DNSSEC functionality.  It's not clear (at least to me) that
DO bit processing in stub resolvers is very useful -- without support in
the recursive resolver you use upstream, it won't work, but if your
recursive resolver does DO processing, then you don't need it in your
stub resolver.

named(8) in the base system is DNSSEC capable, but if you want to run an
authoritative server with the data signed using DNSSEC then you should
probably run one the dns/bind98 port due to the much improved key
handling support in mor recent BIND versions.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


--------------enig8E300474AEE1E5D64425BA78
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3+1+sACgkQ8Mjk52CukIzQfACfSehH7temsN4IchQ2QvhnYvfB
5VcAnjbuLnzxZFGMfYEPn6JNgeOLAUaN
=S0W6
-----END PGP SIGNATURE-----

--------------enig8E300474AEE1E5D64425BA78--