dnssec with freebsd's resolver(3)
Osterweil, Eric
eosterweil at verisign.com
Wed Jun 22 19:29:59 UTC 2011
On 6/22/11 2:56 PM, "Leon Meßner" <l.messner at physik.tu-berlin.de> wrote:
> On Mon, Jun 20, 2011 at 06:17:23AM +0100, Matthew Seaman wrote:
>> On 20/06/2011 01:37, Leon Meßner wrote:
>>> does the freebsd resolver(3) support sending the DO bit in queries and
>>> thus do DNSSEC validation ? I tried using ssh with SSHFP RR's in a
>>> signed zone but i still get the "insecure Key" message from ssh on
>>> FreeBSD (works on some other OS).
>>
>> My understanding is that the stub resolver in the base system does not
>> handle any DNSSEC functionality. It's not clear (at least to me) that
>> DO bit processing in stub resolvers is very useful -- without support in
>> the recursive resolver you use upstream, it won't work, but if your
>> recursive resolver does DO processing, then you don't need it in your
>> stub resolver.
>
> Ok, my recursive resolver does DO processing. How do i tell ssh to set
> the bit ? Doesn't ssh use my base system stub resolveer to query my in
> resolv.conf configured DNS ?
I'm not sure what you mean by "DO processing," but validation requires a
little more than issuing queries w/ the DO bit set (that has been the
default in BIND for a while). You need to have the root (or some other)
trust-anchor configured, and you need to enable DNSSEC validation in your
named.conf.
Only after that will you see the AD bit at the stub.
Eric
More information about the freebsd-questions
mailing list