dnssec with freebsd's resolver(3)

Matthew Seaman m.seaman at infracaninophile.co.uk
Mon Jun 20 05:17:36 UTC 2011

On 20/06/2011 01:37, Leon Meßner wrote:
> does the freebsd resolver(3) support sending the DO bit in queries and
> thus do DNSSEC validation ? I tried using ssh with SSHFP RR's in a
> signed zone but i still get the "insecure Key" message from ssh on
> FreeBSD (works on some other OS).

My understanding is that the stub resolver in the base system does not
handle any DNSSEC functionality.  It's not clear (at least to me) that
DO bit processing in stub resolvers is very useful -- without support in
the recursive resolver you use upstream, it won't work, but if your
recursive resolver does DO processing, then you don't need it in your
stub resolver.

named(8) in the base system is DNSSEC capable, but if you want to run an
authoritative server with the data signed using DNSSEC then you should
probably run one the dns/bind98 port due to the much improved key
handling support in mor recent BIND versions.



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20110620/ff480cbd/signature.pgp

More information about the freebsd-questions mailing list