From owner-freebsd-questions@FreeBSD.ORG Wed Jun 22 19:29:59 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 434631065672 for ; Wed, 22 Jun 2011 19:29:59 +0000 (UTC) (envelope-from eosterweil@verisign.com) Received: from exprod6og108.obsmtp.com (exprod6og108.obsmtp.com [64.18.1.21]) by mx1.freebsd.org (Postfix) with ESMTP id 9B1148FC1E for ; Wed, 22 Jun 2011 19:29:58 +0000 (UTC) Received: from osprey.verisign.com ([216.168.239.75]) (using TLSv1) by exprod6ob108.postini.com ([64.18.5.12]) with SMTP ID DSNKTgJCtS0WtBh1g+/ReFteS8sDoe5cTJao@postini.com; Wed, 22 Jun 2011 12:29:58 PDT Received: from dul1wnexcn04.vcorp.ad.vrsn.com (dul1wnexcn04.vcorp.ad.vrsn.com [10.170.12.139]) by osprey.verisign.com (8.13.6/8.13.4) with ESMTP id p5MJ37BR023565; Wed, 22 Jun 2011 15:03:07 -0400 Received: from DUL1WNEXMB11.vcorp.ad.vrsn.com ([10.170.13.11]) by dul1wnexcn04.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 22 Jun 2011 15:03:07 -0400 Received: from 10.131.30.110 ([10.131.30.110]) by DUL1WNEXMB11.vcorp.ad.vrsn.com ([10.170.13.11]) with Microsoft Exchange Server HTTP-DAV ; Wed, 22 Jun 2011 19:02:43 +0000 User-Agent: Microsoft-Entourage/12.29.0.110113 Date: Wed, 22 Jun 2011 15:02:42 -0400 From: "Osterweil, Eric" To: Leon =?ISO-8859-1?B?TWXfbmVy?= , Message-ID: Thread-Topic: dnssec with freebsd's resolver(3) Thread-Index: AcwxDjxF4ixF1RmzRrepGCXPWAaf8gAALoeh In-Reply-To: <20110622185642.GB74606@emmi.physik-pool.tu-berlin.de> Mime-version: 1.0 Content-type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable X-OriginalArrivalTime: 22 Jun 2011 19:03:07.0849 (UTC) FILETIME=[05CCF390:01CC310F] Cc: Subject: Re: dnssec with freebsd's resolver(3) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2011 19:29:59 -0000 On 6/22/11 2:56 PM, "Leon Me=DFner" wrote: > On Mon, Jun 20, 2011 at 06:17:23AM +0100, Matthew Seaman wrote: >> On 20/06/2011 01:37, Leon Me=DFner wrote: >>> does the freebsd resolver(3) support sending the DO bit in queries and >>> thus do DNSSEC validation ? I tried using ssh with SSHFP RR's in a >>> signed zone but i still get the "insecure Key" message from ssh on >>> FreeBSD (works on some other OS). >>=20 >> My understanding is that the stub resolver in the base system does not >> handle any DNSSEC functionality. It's not clear (at least to me) that >> DO bit processing in stub resolvers is very useful -- without support in >> the recursive resolver you use upstream, it won't work, but if your >> recursive resolver does DO processing, then you don't need it in your >> stub resolver. >=20 > Ok, my recursive resolver does DO processing. How do i tell ssh to set > the bit ? Doesn't ssh use my base system stub resolveer to query my in > resolv.conf configured DNS ? I'm not sure what you mean by "DO processing," but validation requires a little more than issuing queries w/ the DO bit set (that has been the default in BIND for a while). You need to have the root (or some other) trust-anchor configured, and you need to enable DNSSEC validation in your named.conf. Only after that will you see the AD bit at the stub. Eric