dnssec with freebsd's resolver(3)

Osterweil, Eric eosterweil at verisign.com
Wed Jun 22 19:29:59 UTC 2011

On 6/22/11 2:56 PM, "Leon Meßner" <l.messner at physik.tu-berlin.de> wrote:

> On Mon, Jun 20, 2011 at 06:17:23AM +0100, Matthew Seaman wrote:
>> On 20/06/2011 01:37, Leon Meßner wrote:
>>> does the freebsd resolver(3) support sending the DO bit in queries and
>>> thus do DNSSEC validation ? I tried using ssh with SSHFP RR's in a
>>> signed zone but i still get the "insecure Key" message from ssh on
>>> FreeBSD (works on some other OS).
>> My understanding is that the stub resolver in the base system does not
>> handle any DNSSEC functionality.  It's not clear (at least to me) that
>> DO bit processing in stub resolvers is very useful -- without support in
>> the recursive resolver you use upstream, it won't work, but if your
>> recursive resolver does DO processing, then you don't need it in your
>> stub resolver.
> Ok, my recursive resolver does DO processing. How do i tell ssh to set
> the bit ? Doesn't ssh use my base system stub resolveer to query my in
> resolv.conf configured DNS ?

I'm not sure what you mean by "DO processing," but validation requires a
little more than issuing queries w/ the DO bit set (that has been the
default in BIND for a while).  You need to have the root (or some other)
trust-anchor configured, and you need to enable DNSSEC validation in your

Only after that will you see the AD bit at the stub.


More information about the freebsd-questions mailing list