From owner-freebsd-questions@FreeBSD.ORG Thu Jun 23 18:44:06 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (unknown [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9413B106568A for ; Thu, 23 Jun 2011 18:44:06 +0000 (UTC) (envelope-from eosterweil@verisign.com) Received: from exprod6og109.obsmtp.com (exprod6og109.obsmtp.com [64.18.1.23]) by mx1.freebsd.org (Postfix) with ESMTP id EF0658FC16 for ; Thu, 23 Jun 2011 18:43:58 +0000 (UTC) Received: from peregrine.verisign.com ([216.168.239.74]) (using TLSv1) by exprod6ob109.postini.com ([64.18.5.12]) with SMTP ID DSNKTgOJbfTi2OTUaMQPXltKcA0R8NZL/7qS@postini.com; Thu, 23 Jun 2011 11:44:06 PDT Received: from dul1wnexcn04.vcorp.ad.vrsn.com (dul1wnexcn04.vcorp.ad.vrsn.com [10.170.12.139]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id p5NIhuWe020525; Thu, 23 Jun 2011 14:43:56 -0400 Received: from DUL1WNEXMB11.vcorp.ad.vrsn.com ([10.170.13.11]) by dul1wnexcn04.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 23 Jun 2011 14:43:56 -0400 Received: from 10.131.30.110 ([10.131.30.110]) by DUL1WNEXMB11.vcorp.ad.vrsn.com ([10.170.13.11]) with Microsoft Exchange Server HTTP-DAV ; Thu, 23 Jun 2011 18:43:44 +0000 User-Agent: Microsoft-Entourage/12.29.0.110113 Date: Thu, 23 Jun 2011 14:43:43 -0400 From: "Osterweil, Eric" To: Leon =?ISO-8859-1?B?TWXfbmVy?= , Message-ID: Thread-Topic: dnssec with freebsd's resolver(3) Thread-Index: Acwx0sz5RnH0mFU/SQScFUDgKj2hsgAAqzuS In-Reply-To: <20110623182346.GD74606@emmi.physik-pool.tu-berlin.de> Mime-version: 1.0 Content-type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable X-OriginalArrivalTime: 23 Jun 2011 18:43:56.0847 (UTC) FILETIME=[8229BBF0:01CC31D5] Cc: Subject: Re: dnssec with freebsd's resolver(3) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2011 18:44:06 -0000 On 6/23/11 2:23 PM, "Leon Me=DFner" wrote: > This mail got only send to Matthew because of bad time of day ;) >=20 > On Wed, Jun 22, 2011 at 10:58:00PM +0100, Matthew Seaman wrote: >> On 22/06/2011 20:02, Osterweil, Eric wrote: >>>=20 >>>=20 >>>=20 >>> On 6/22/11 2:56 PM, "Leon Me=DFner" wrote= : >>>=20 >>>> On Mon, Jun 20, 2011 at 06:17:23AM +0100, Matthew Seaman wrote: >>>=20 >>> I'm not sure what you mean by "DO processing," but validation requires = a >>> little more than issuing queries w/ the DO bit set (that has been the >>> default in BIND for a while). You need to have the root (or some other= ) >>> trust-anchor configured, and you need to enable DNSSEC validation in yo= ur >>> named.conf. >>>=20 >>> Only after that will you see the AD bit at the stub. >>=20 >> Actually, typically with a correctly configured validating resolver, as >> an end user issuing queries from the system's stub resolver, you'll only >> see responses with data that is either: >>=20 >> -- completely unsigned >>=20 >> -- signed, and that validates correctly >>=20 >> Data that doesn't validate correctly is discarded. Better make sure >> your DNSSEC setup is correctly maintained and updated, or your domains >> may effectively disappear from the net. >>=20 >> "validates correctly" is a function of how your recursive resolver is >> configured: for instance, you will probably want to trust DLV secured >> data until authentication paths up to the root become more prevalent in >> all corners of the DNS. >=20 >=20 > The only thing i want to do at the moment is serve my local zone to my > local clients. If i do >=20 > % dig @dns +dnssec rosa.physik-pool.tu-berlin.de >=20 > i get >=20 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, > ADDITIONAL: 3 >=20 > and also i can see the D0 bit set when looking at the tcpdump. If i now > use the stub resolver through telnet/ssh the D0 bit does _not_ get set > in the query. So there is no way for the recursive NS to supply AD data, > right ? That is correct, sorry. If the stub doesn't request DNSSEC enabled (via th= e DO bit), then the resolver will not return the validation bit. :( I did a little bit of googling, and found these instructions but I have not tried any of this myself: https://www.dnssec-tools.org/svn/dnssec-tools/trunk/htdocs/readme/README.ss= h (Look under the "Requirements" section) There seemed to be a lot of people suggesting that opening bug reports will prompt more attention to this. >=20 > thanks for helping the blind. Not at all! :) Eric