Re: dnssec with freebsd's resolver(3)

Wed, 22 Jun 2011 15:19:36 -0700 

On 22/06/2011 20:02, Osterweil, Eric wrote:
> 
> 
> 
> On 6/22/11 2:56 PM, "Leon Meßner" <l.mess...@physik.tu-berlin.de> wrote:
> 
>> On Mon, Jun 20, 2011 at 06:17:23AM +0100, Matthew Seaman wrote:
>>> On 20/06/2011 01:37, Leon Meßner wrote:
>>>> does the freebsd resolver(3) support sending the DO bit in queries and
>>>> thus do DNSSEC validation ? I tried using ssh with SSHFP RR's in a
>>>> signed zone but i still get the "insecure Key" message from ssh on
>>>> FreeBSD (works on some other OS).
>>>
>>> My understanding is that the stub resolver in the base system does not
>>> handle any DNSSEC functionality.  It's not clear (at least to me) that
>>> DO bit processing in stub resolvers is very useful -- without support in
>>> the recursive resolver you use upstream, it won't work, but if your
>>> recursive resolver does DO processing, then you don't need it in your
>>> stub resolver.
>>
>> Ok, my recursive resolver does DO processing. How do i tell ssh to set
>> the bit ? Doesn't ssh use my base system stub resolveer to query my in
>> resolv.conf configured DNS ?
> 
> I'm not sure what you mean by "DO processing," but validation requires a
> little more than issuing queries w/ the DO bit set (that has been the
> default in BIND for a while).  You need to have the root (or some other)
> trust-anchor configured, and you need to enable DNSSEC validation in your
> named.conf.
> 
> Only after that will you see the AD bit at the stub.

Actually, typically with a correctly configured validating resolver, as
an end user issuing queries from the system's stub resolver, you'll only
see responses with data that is either:

    -- completely unsigned

    -- signed, and that validates correctly

Data that doesn't validate correctly is discarded.  Better make sure
your DNSSEC setup is correctly maintained and updated, or your domains
may effectively disappear from the net.

"validates correctly" is a function of how your recursive resolver is
configured: for instance, you will probably want to trust DLV secured
data until authentication paths up to the root become more prevalent in
all corners of the DNS.

        Cheers,

        Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matt...@infracaninophile.co.uk               Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to