Date: Wed, 22 Jun 2011 15:02:42 -0400 From: "Osterweil, Eric" <eosterweil@verisign.com> To: Leon =?ISO-8859-1?B?TWXfbmVy?= <l.messner@physik.tu-berlin.de>, <freebsd-questions@freebsd.org> Subject: Re: dnssec with freebsd's resolver(3) Message-ID: <CA27B492.C80F%eosterweil@verisign.com> In-Reply-To: <20110622185642.GB74606@emmi.physik-pool.tu-berlin.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/22/11 2:56 PM, "Leon Me=DFner" <l.messner@physik.tu-berlin.de> wrote: > On Mon, Jun 20, 2011 at 06:17:23AM +0100, Matthew Seaman wrote: >> On 20/06/2011 01:37, Leon Me=DFner wrote: >>> does the freebsd resolver(3) support sending the DO bit in queries and >>> thus do DNSSEC validation ? I tried using ssh with SSHFP RR's in a >>> signed zone but i still get the "insecure Key" message from ssh on >>> FreeBSD (works on some other OS). >>=20 >> My understanding is that the stub resolver in the base system does not >> handle any DNSSEC functionality. It's not clear (at least to me) that >> DO bit processing in stub resolvers is very useful -- without support in >> the recursive resolver you use upstream, it won't work, but if your >> recursive resolver does DO processing, then you don't need it in your >> stub resolver. >=20 > Ok, my recursive resolver does DO processing. How do i tell ssh to set > the bit ? Doesn't ssh use my base system stub resolveer to query my in > resolv.conf configured DNS ? I'm not sure what you mean by "DO processing," but validation requires a little more than issuing queries w/ the DO bit set (that has been the default in BIND for a while). You need to have the root (or some other) trust-anchor configured, and you need to enable DNSSEC validation in your named.conf. Only after that will you see the AD bit at the stub. Eric
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA27B492.C80F%eosterweil>