Date: Wed, 22 Jun 2011 20:56:42 +0200 From: Leon =?iso-8859-15?Q?Me=DFner?= <l.messner@physik.tu-berlin.de> To: freebsd-questions@freebsd.org Subject: Re: dnssec with freebsd's resolver(3) Message-ID: <20110622185642.GB74606@emmi.physik-pool.tu-berlin.de> In-Reply-To: <4DFED7E3.8080203@infracaninophile.co.uk> References: <20110620003727.GB25579@emmi.physik-pool.tu-berlin.de> <4DFED7E3.8080203@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 20, 2011 at 06:17:23AM +0100, Matthew Seaman wrote: > On 20/06/2011 01:37, Leon Meßner wrote: > > does the freebsd resolver(3) support sending the DO bit in queries and > > thus do DNSSEC validation ? I tried using ssh with SSHFP RR's in a > > signed zone but i still get the "insecure Key" message from ssh on > > FreeBSD (works on some other OS). > > My understanding is that the stub resolver in the base system does not > handle any DNSSEC functionality. It's not clear (at least to me) that > DO bit processing in stub resolvers is very useful -- without support in > the recursive resolver you use upstream, it won't work, but if your > recursive resolver does DO processing, then you don't need it in your > stub resolver. Ok, my recursive resolver does DO processing. How do i tell ssh to set the bit ? Doesn't ssh use my base system stub resolveer to query my in resolv.conf configured DNS ? thanks, Leon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110622185642.GB74606>