dnssec with freebsd's resolver(3)
eosterweil at verisign.com
Thu Jun 23 18:44:06 UTC 2011
On 6/23/11 2:23 PM, "Leon Meßner" <l.messner at physik.tu-berlin.de> wrote:
> This mail got only send to Matthew because of bad time of day ;)
> On Wed, Jun 22, 2011 at 10:58:00PM +0100, Matthew Seaman wrote:
>> On 22/06/2011 20:02, Osterweil, Eric wrote:
>>> On 6/22/11 2:56 PM, "Leon Meßner" <l.messner at physik.tu-berlin.de> wrote:
>>>> On Mon, Jun 20, 2011 at 06:17:23AM +0100, Matthew Seaman wrote:
>>> I'm not sure what you mean by "DO processing," but validation requires a
>>> little more than issuing queries w/ the DO bit set (that has been the
>>> default in BIND for a while). You need to have the root (or some other)
>>> trust-anchor configured, and you need to enable DNSSEC validation in your
>>> Only after that will you see the AD bit at the stub.
>> Actually, typically with a correctly configured validating resolver, as
>> an end user issuing queries from the system's stub resolver, you'll only
>> see responses with data that is either:
>> -- completely unsigned
>> -- signed, and that validates correctly
>> Data that doesn't validate correctly is discarded. Better make sure
>> your DNSSEC setup is correctly maintained and updated, or your domains
>> may effectively disappear from the net.
>> "validates correctly" is a function of how your recursive resolver is
>> configured: for instance, you will probably want to trust DLV secured
>> data until authentication paths up to the root become more prevalent in
>> all corners of the DNS.
> The only thing i want to do at the moment is serve my local zone to my
> local clients. If i do
> % dig @dns +dnssec rosa.physik-pool.tu-berlin.de
> i get
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4,
> ADDITIONAL: 3
> and also i can see the D0 bit set when looking at the tcpdump. If i now
> use the stub resolver through telnet/ssh the D0 bit does _not_ get set
> in the query. So there is no way for the recursive NS to supply AD data,
> right ?
That is correct, sorry. If the stub doesn't request DNSSEC enabled (via the
DO bit), then the resolver will not return the validation bit. :(
I did a little bit of googling, and found these instructions but I have not
tried any of this myself:
(Look under the "Requirements" section)
There seemed to be a lot of people suggesting that opening bug reports will
prompt more attention to this.
> thanks for helping the blind.
Not at all! :)
More information about the freebsd-questions