dnssec with freebsd's resolver(3)

Osterweil, Eric eosterweil at verisign.com
Thu Jun 23 18:44:06 UTC 2011 



On 6/23/11 2:23 PM, "Leon Meßner" <l.messner at physik.tu-berlin.de> wrote:

> This mail got only send to Matthew because of bad time of day ;)
> 
> On Wed, Jun 22, 2011 at 10:58:00PM +0100, Matthew Seaman wrote:
>> On 22/06/2011 20:02, Osterweil, Eric wrote:
>>> 
>>> 
>>> 
>>> On 6/22/11 2:56 PM, "Leon Meßner" <l.messner at physik.tu-berlin.de> wrote:
>>> 
>>>> On Mon, Jun 20, 2011 at 06:17:23AM +0100, Matthew Seaman wrote:

<snip>

>>> 
>>> I'm not sure what you mean by "DO processing," but validation requires a
>>> little more than issuing queries w/ the DO bit set (that has been the
>>> default in BIND for a while).  You need to have the root (or some other)
>>> trust-anchor configured, and you need to enable DNSSEC validation in your
>>> named.conf.
>>> 
>>> Only after that will you see the AD bit at the stub.
>> 
>> Actually, typically with a correctly configured validating resolver, as
>> an end user issuing queries from the system's stub resolver, you'll only
>> see responses with data that is either:
>> 
>>     -- completely unsigned
>> 
>>     -- signed, and that validates correctly
>> 
>> Data that doesn't validate correctly is discarded.  Better make sure
>> your DNSSEC setup is correctly maintained and updated, or your domains
>> may effectively disappear from the net.
>> 
>> "validates correctly" is a function of how your recursive resolver is
>> configured: for instance, you will probably want to trust DLV secured
>> data until authentication paths up to the root become more prevalent in
>> all corners of the DNS.
> 
> 
> The only thing i want to do at the moment is serve my local zone to my
> local clients. If i do
> 
> % dig @dns +dnssec rosa.physik-pool.tu-berlin.de
> 
> i get
> 
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4,
> ADDITIONAL: 3
> 
> and also i can see the D0 bit set when looking at the tcpdump. If i now
> use the stub resolver through telnet/ssh the D0 bit does _not_ get set
> in the query. So there is no way for the recursive NS to supply AD data,
> right ?

That is correct, sorry.  If the stub doesn't request DNSSEC enabled (via the
DO bit), then the resolver will not return the validation bit. :(

I did a little bit of googling, and found these instructions but I have not
tried any of this myself:

https://www.dnssec-tools.org/svn/dnssec-tools/trunk/htdocs/readme/README.ssh
(Look under the "Requirements" section)

There seemed to be a lot of people suggesting that opening bug reports will
prompt more attention to this.

> 
> thanks for helping the blind.

Not at all!  :)

Eric

More information about the freebsd-questions mailing list