Date: Wed, 22 Jun 2011 15:02:42 -0400 From: "Osterweil, Eric" <eosterweil@verisign.com> To: Leon =?ISO-8859-1?B?TWXfbmVy?= <l.messner@physik.tu-berlin.de>, <freebsd-questions@freebsd.org> Subject: Re: dnssec with freebsd's resolver(3) Message-ID: <CA27B492.C80F%eosterweil@verisign.com> In-Reply-To: <20110622185642.GB74606@emmi.physik-pool.tu-berlin.de>
index | next in thread | previous in thread | raw e-mail
On 6/22/11 2:56 PM, "Leon Meßner" <l.messner@physik.tu-berlin.de> wrote: > On Mon, Jun 20, 2011 at 06:17:23AM +0100, Matthew Seaman wrote: >> On 20/06/2011 01:37, Leon Meßner wrote: >>> does the freebsd resolver(3) support sending the DO bit in queries and >>> thus do DNSSEC validation ? I tried using ssh with SSHFP RR's in a >>> signed zone but i still get the "insecure Key" message from ssh on >>> FreeBSD (works on some other OS). >> >> My understanding is that the stub resolver in the base system does not >> handle any DNSSEC functionality. It's not clear (at least to me) that >> DO bit processing in stub resolvers is very useful -- without support in >> the recursive resolver you use upstream, it won't work, but if your >> recursive resolver does DO processing, then you don't need it in your >> stub resolver. > > Ok, my recursive resolver does DO processing. How do i tell ssh to set > the bit ? Doesn't ssh use my base system stub resolveer to query my in > resolv.conf configured DNS ? I'm not sure what you mean by "DO processing," but validation requires a little more than issuing queries w/ the DO bit set (that has been the default in BIND for a while). You need to have the root (or some other) trust-anchor configured, and you need to enable DNSSEC validation in your named.conf. Only after that will you see the AD bit at the stub. Erichome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA27B492.C80F%eosterweil>