> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
> --------------enig5488BAD5E4511AF4D0C2864A
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: quoted-printable
>
> Doug Barton wrote:
> > Matthew Seaman wrote:
> >=20
> >> Are there any plans to enable DNSSEC capability in the resolver built =
>
> >> into FreeBSD?
> >=20
> > The server is already capable of it. I'm seriously considering enabling=
> =20
> > the define to make the CLI tools (dig/host/nslookup) capable as well=20
> > (there is already an OPTION for this in ports).
>
> Forgive me for being obtuse. What I meant was the capability to enable c=
> hecking signatures on DNS RRs as a routine effect of getnameinfo() etc.
> by modifying resolver(3) routines or similar locally, without needing a
> DNSSEC enabled recursive resolver listed in resolv.conf? I've a feeling
> the answer is no, but I haven't been able to find anything definitive.
>
> Which I suppose simply means that if you're in the habit of, for example,=
> =20
> taking your laptop into the coffee shop and getting on line there then yo=
> u=20
> need to run your own instance of named on your laptop rather than blindly=
> =20
> trusting whatever servers the coffee shop provides via their DHCP.
Use a local (on machine) validating caching nameserver.
> > The problem is that _using_ DNSSEC requires configuration changes in=20
> > named.conf, and more importantly, configuration of "trust anchors" (eve=
> n=20
> > for the command line stuff) since the root is not signed. It's not hard=
> =20
> > to do that with the DLV system that ISC has in place, and I would be=20
> > willing to create a conf file that shows how to do that for users to=20
> > include if they choose to. I am not comfortable enabling it by default =
>
> > (not yet anyway), it's too big of a POLA issue.
>
> I sense a business opportunity in providing DLV there. I'm wondering why=
>
> the likes of Verisign (including Thawte and Geotrust), Comodo group and=20
> GoDaddy aren't circling like vultures over a dead wildebeest. Perhaps th=
> ey=20
> are.
You only need one DLV. ISC is offering the service for free.
Donations welcome as it does cost to run the service.
> Cheers,
>
> Matthew
>
> --=20
> Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
> Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
> Kent, CT11 9PW
>
>
> --------------enig5488BAD5E4511AF4D0C2864A
> Content-Type: application/pgp-signature; name="signature.asc"
> Content-Description: OpenPGP digital signature
> Content-Disposition: attachment; filename="signature.asc"
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (FreeBSD)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEAREIAAYFAkiGKPIACgkQ8Mjk52CukIxbWACfTVCDPVViUJ0NTd5GLMMVU8bD
> xXkAniwbkPNqgVZYLi4a/5aQHYFxBHSo
> =T6Z8
> -----END PGP SIGNATURE-----
>
> --------------enig5488BAD5E4511AF4D0C2864A--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
