Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 20 Jun 2011 06:17:23 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        freebsd-questions@freebsd.org
Subject:   Re: dnssec with freebsd's resolver(3)
Message-ID:  <4DFED7E3.8080203@infracaninophile.co.uk>
In-Reply-To: <20110620003727.GB25579@emmi.physik-pool.tu-berlin.de>
References:  <20110620003727.GB25579@emmi.physik-pool.tu-berlin.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig8E300474AEE1E5D64425BA78
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 20/06/2011 01:37, Leon Me=DFner wrote:
> does the freebsd resolver(3) support sending the DO bit in queries and
> thus do DNSSEC validation ? I tried using ssh with SSHFP RR's in a
> signed zone but i still get the "insecure Key" message from ssh on
> FreeBSD (works on some other OS).

My understanding is that the stub resolver in the base system does not
handle any DNSSEC functionality.  It's not clear (at least to me) that
DO bit processing in stub resolvers is very useful -- without support in
the recursive resolver you use upstream, it won't work, but if your
recursive resolver does DO processing, then you don't need it in your
stub resolver.

named(8) in the base system is DNSSEC capable, but if you want to run an
authoritative server with the data signed using DNSSEC then you should
probably run one the dns/bind98 port due to the much improved key
handling support in mor recent BIND versions.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


--------------enig8E300474AEE1E5D64425BA78
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3+1+sACgkQ8Mjk52CukIzQfACfSehH7temsN4IchQ2QvhnYvfB
5VcAnjbuLnzxZFGMfYEPn6JNgeOLAUaN
=S0W6
-----END PGP SIGNATURE-----

--------------enig8E300474AEE1E5D64425BA78--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4DFED7E3.8080203>