dnssec with freebsd's resolver(3)

Thu Jun 23 18:23:53 UTC 2011

This mail got only send to Matthew because of bad time of day ;)

On Wed, Jun 22, 2011 at 10:58:00PM +0100, Matthew Seaman wrote:
> On 22/06/2011 20:02, Osterweil, Eric wrote:
> > 
> > 
> > 
> > On 6/22/11 2:56 PM, "Leon Meßner" <l.messner at physik.tu-berlin.de> wrote:
> > 
> >> On Mon, Jun 20, 2011 at 06:17:23AM +0100, Matthew Seaman wrote:
> >>> On 20/06/2011 01:37, Leon Meßner wrote:
> >>>> does the freebsd resolver(3) support sending the DO bit in queries and
> >>>> thus do DNSSEC validation ? I tried using ssh with SSHFP RR's in a
> >>>> signed zone but i still get the "insecure Key" message from ssh on
> >>>> FreeBSD (works on some other OS).
> >>>
> >>> My understanding is that the stub resolver in the base system does not
> >>> handle any DNSSEC functionality.  It's not clear (at least to me) that
> >>> DO bit processing in stub resolvers is very useful -- without support in
> >>> the recursive resolver you use upstream, it won't work, but if your
> >>> recursive resolver does DO processing, then you don't need it in your
> >>> stub resolver.
> >>
> >> Ok, my recursive resolver does DO processing. How do i tell ssh to set
> >> the bit ? Doesn't ssh use my base system stub resolveer to query my in
> >> resolv.conf configured DNS ?
> > 
> > I'm not sure what you mean by "DO processing," but validation requires a
> > little more than issuing queries w/ the DO bit set (that has been the
> > default in BIND for a while).  You need to have the root (or some other)
> > trust-anchor configured, and you need to enable DNSSEC validation in your
> > named.conf.
> > 
> > Only after that will you see the AD bit at the stub.
> 
> Actually, typically with a correctly configured validating resolver, as
> an end user issuing queries from the system's stub resolver, you'll only
> see responses with data that is either:
> 
>     -- completely unsigned
> 
>     -- signed, and that validates correctly
> 
> Data that doesn't validate correctly is discarded.  Better make sure
> your DNSSEC setup is correctly maintained and updated, or your domains
> may effectively disappear from the net.
> 
> "validates correctly" is a function of how your recursive resolver is
> configured: for instance, you will probably want to trust DLV secured
> data until authentication paths up to the root become more prevalent in
> all corners of the DNS.

The only thing i want to do at the moment is serve my local zone to my
local clients. If i do

% dig @dns +dnssec rosa.physik-pool.tu-berlin.de

i get 

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4,
ADDITIONAL: 3

and also i can see the D0 bit set when looking at the tcpdump. If i now
use the stub resolver through telnet/ssh the D0 bit does _not_ get set
in the query. So there is no way for the recursive NS to supply AD data,
right ?

thanks for helping the blind.

Leon