Date: Wed, 22 Jun 2011 22:58:00 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@freebsd.org Subject: Re: dnssec with freebsd's resolver(3) Message-ID: <4E026568.4020206@infracaninophile.co.uk> In-Reply-To: <CA27B492.C80F%eosterweil@verisign.com> References: <CA27B492.C80F%eosterweil@verisign.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig2DE5D42E5CFC4D201561BAE1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 22/06/2011 20:02, Osterweil, Eric wrote:
>=20
>=20
>=20
> On 6/22/11 2:56 PM, "Leon Me=DFner" <l.messner@physik.tu-berlin.de> wro=
te:
>=20
>> On Mon, Jun 20, 2011 at 06:17:23AM +0100, Matthew Seaman wrote:
>>> On 20/06/2011 01:37, Leon Me=DFner wrote:
>>>> does the freebsd resolver(3) support sending the DO bit in queries a=
nd
>>>> thus do DNSSEC validation ? I tried using ssh with SSHFP RR's in a
>>>> signed zone but i still get the "insecure Key" message from ssh on
>>>> FreeBSD (works on some other OS).
>>>
>>> My understanding is that the stub resolver in the base system does no=
t
>>> handle any DNSSEC functionality. It's not clear (at least to me) tha=
t
>>> DO bit processing in stub resolvers is very useful -- without support=
in
>>> the recursive resolver you use upstream, it won't work, but if your
>>> recursive resolver does DO processing, then you don't need it in your=
>>> stub resolver.
>>
>> Ok, my recursive resolver does DO processing. How do i tell ssh to set=
>> the bit ? Doesn't ssh use my base system stub resolveer to query my in=
>> resolv.conf configured DNS ?
>=20
> I'm not sure what you mean by "DO processing," but validation requires =
a
> little more than issuing queries w/ the DO bit set (that has been the
> default in BIND for a while). You need to have the root (or some other=
)
> trust-anchor configured, and you need to enable DNSSEC validation in yo=
ur
> named.conf.
>=20
> Only after that will you see the AD bit at the stub.
Actually, typically with a correctly configured validating resolver, as
an end user issuing queries from the system's stub resolver, you'll only
see responses with data that is either:
-- completely unsigned
-- signed, and that validates correctly
Data that doesn't validate correctly is discarded. Better make sure
your DNSSEC setup is correctly maintained and updated, or your domains
may effectively disappear from the net.
"validates correctly" is a function of how your recursive resolver is
configured: for instance, you will probably want to trust DLV secured
data until authentication paths up to the root become more prevalent in
all corners of the DNS.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
--------------enig2DE5D42E5CFC4D201561BAE1
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk4CZW4ACgkQ8Mjk52CukIzlWQCeLG8s6jM3oD8B7Ud+30Q9JfB1
F14An0Ooel6oR6oeIX6h/dkOkM53ty4/
=Gu5B
-----END PGP SIGNATURE-----
--------------enig2DE5D42E5CFC4D201561BAE1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E026568.4020206>