This mail got only send to Matthew because of bad time of day ;) On Wed, Jun 22, 2011 at 10:58:00PM +0100, Matthew Seaman wrote: > On 22/06/2011 20:02, Osterweil, Eric wrote: > > > > > > > > On 6/22/11 2:56 PM, "Leon Meßner" <l.mess...@physik.tu-berlin.de> wrote: > > > >> On Mon, Jun 20, 2011 at 06:17:23AM +0100, Matthew Seaman wrote: > >>> On 20/06/2011 01:37, Leon Meßner wrote: > >>>> does the freebsd resolver(3) support sending the DO bit in queries and > >>>> thus do DNSSEC validation ? I tried using ssh with SSHFP RR's in a > >>>> signed zone but i still get the "insecure Key" message from ssh on > >>>> FreeBSD (works on some other OS). > >>> > >>> My understanding is that the stub resolver in the base system does not > >>> handle any DNSSEC functionality. It's not clear (at least to me) that > >>> DO bit processing in stub resolvers is very useful -- without support in > >>> the recursive resolver you use upstream, it won't work, but if your > >>> recursive resolver does DO processing, then you don't need it in your > >>> stub resolver. > >> > >> Ok, my recursive resolver does DO processing. How do i tell ssh to set > >> the bit ? Doesn't ssh use my base system stub resolveer to query my in > >> resolv.conf configured DNS ? > > > > I'm not sure what you mean by "DO processing," but validation requires a > > little more than issuing queries w/ the DO bit set (that has been the > > default in BIND for a while). You need to have the root (or some other) > > trust-anchor configured, and you need to enable DNSSEC validation in your > > named.conf. > > > > Only after that will you see the AD bit at the stub. > > Actually, typically with a correctly configured validating resolver, as > an end user issuing queries from the system's stub resolver, you'll only > see responses with data that is either: > > -- completely unsigned > > -- signed, and that validates correctly > > Data that doesn't validate correctly is discarded. Better make sure > your DNSSEC setup is correctly maintained and updated, or your domains > may effectively disappear from the net. > > "validates correctly" is a function of how your recursive resolver is > configured: for instance, you will probably want to trust DLV secured > data until authentication paths up to the root become more prevalent in > all corners of the DNS.
The only thing i want to do at the moment is serve my local zone to my local clients. If i do % dig @dns +dnssec rosa.physik-pool.tu-berlin.de i get ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 3 and also i can see the D0 bit set when looking at the tcpdump. If i now use the stub resolver through telnet/ssh the D0 bit does _not_ get set in the query. So there is no way for the recursive NS to supply AD data, right ? thanks for helping the blind. Leon _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
