dnssec with freebsd's resolver(3)
l.messner at physik.tu-berlin.de
Wed Jun 22 18:56:45 UTC 2011
On Mon, Jun 20, 2011 at 06:17:23AM +0100, Matthew Seaman wrote:
> On 20/06/2011 01:37, Leon Meßner wrote:
> > does the freebsd resolver(3) support sending the DO bit in queries and
> > thus do DNSSEC validation ? I tried using ssh with SSHFP RR's in a
> > signed zone but i still get the "insecure Key" message from ssh on
> > FreeBSD (works on some other OS).
> My understanding is that the stub resolver in the base system does not
> handle any DNSSEC functionality. It's not clear (at least to me) that
> DO bit processing in stub resolvers is very useful -- without support in
> the recursive resolver you use upstream, it won't work, but if your
> recursive resolver does DO processing, then you don't need it in your
> stub resolver.
Ok, my recursive resolver does DO processing. How do i tell ssh to set
the bit ? Doesn't ssh use my base system stub resolveer to query my in
resolv.conf configured DNS ?
More information about the freebsd-questions