From owner-freebsd-questions@FreeBSD.ORG  Wed Jun 22 18:56:45 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 02204106564A
	for <freebsd-questions@freebsd.org>;
	Wed, 22 Jun 2011 18:56:45 +0000 (UTC)
	(envelope-from elon@emmi.physik-pool.tu-berlin.de)
Received: from emmi.physik-pool.tu-berlin.de (emmi.physik-pool.tu-berlin.de
	[130.149.58.146])
	by mx1.freebsd.org (Postfix) with ESMTP id 87B858FC0A
	for <freebsd-questions@freebsd.org>;
	Wed, 22 Jun 2011 18:56:44 +0000 (UTC)
Received: from emmi.physik-pool.tu-berlin.de
	(localhost.physik-pool.tu-berlin.de [127.0.0.1])
	by emmi.physik-pool.tu-berlin.de (8.14.4/8.14.4) with ESMTP id
	p5MIugo0033255 for <freebsd-questions@freebsd.org>;
	Wed, 22 Jun 2011 20:56:42 +0200 (CEST)
	(envelope-from elon@emmi.physik-pool.tu-berlin.de)
Received: (from elon@localhost)
	by emmi.physik-pool.tu-berlin.de (8.14.4/8.14.4/Submit) id
	p5MIug12033254 for freebsd-questions@freebsd.org;
	Wed, 22 Jun 2011 20:56:42 +0200 (CEST) (envelope-from elon)
Date: Wed, 22 Jun 2011 20:56:42 +0200
From: Leon =?iso-8859-15?Q?Me=DFner?= <l.messner@physik.tu-berlin.de>
To: freebsd-questions@freebsd.org
Message-ID: <20110622185642.GB74606@emmi.physik-pool.tu-berlin.de>
Mail-Followup-To: freebsd-questions@freebsd.org
References: <20110620003727.GB25579@emmi.physik-pool.tu-berlin.de>
	<4DFED7E3.8080203@infracaninophile.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <4DFED7E3.8080203@infracaninophile.co.uk>
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: Re: dnssec with freebsd's resolver(3)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2011 18:56:45 -0000

On Mon, Jun 20, 2011 at 06:17:23AM +0100, Matthew Seaman wrote:
> On 20/06/2011 01:37, Leon Meßner wrote:
> > does the freebsd resolver(3) support sending the DO bit in queries and
> > thus do DNSSEC validation ? I tried using ssh with SSHFP RR's in a
> > signed zone but i still get the "insecure Key" message from ssh on
> > FreeBSD (works on some other OS).
> 
> My understanding is that the stub resolver in the base system does not
> handle any DNSSEC functionality.  It's not clear (at least to me) that
> DO bit processing in stub resolvers is very useful -- without support in
> the recursive resolver you use upstream, it won't work, but if your
> recursive resolver does DO processing, then you don't need it in your
> stub resolver.

Ok, my recursive resolver does DO processing. How do i tell ssh to set
the bit ? Doesn't ssh use my base system stub resolveer to query my in
resolv.conf configured DNS ?

thanks,
Leon