On 6/23/11 2:23 PM, "Leon Meßner" <l.mess...@physik.tu-berlin.de> wrote:
> This mail got only send to Matthew because of bad time of day ;)
>
> On Wed, Jun 22, 2011 at 10:58:00PM +0100, Matthew Seaman wrote:
>> On 22/06/2011 20:02, Osterweil, Eric wrote:
>>>
>>>
>>>
>>> On 6/22/11 2:56 PM, "Leon Meßner" <l.mess...@physik.tu-berlin.de> wrote:
>>>
>>>> On Mon, Jun 20, 2011 at 06:17:23AM +0100, Matthew Seaman wrote:
<snip>
>>>
>>> I'm not sure what you mean by "DO processing," but validation requires a
>>> little more than issuing queries w/ the DO bit set (that has been the
>>> default in BIND for a while). You need to have the root (or some other)
>>> trust-anchor configured, and you need to enable DNSSEC validation in your
>>> named.conf.
>>>
>>> Only after that will you see the AD bit at the stub.
>>
>> Actually, typically with a correctly configured validating resolver, as
>> an end user issuing queries from the system's stub resolver, you'll only
>> see responses with data that is either:
>>
>> -- completely unsigned
>>
>> -- signed, and that validates correctly
>>
>> Data that doesn't validate correctly is discarded. Better make sure
>> your DNSSEC setup is correctly maintained and updated, or your domains
>> may effectively disappear from the net.
>>
>> "validates correctly" is a function of how your recursive resolver is
>> configured: for instance, you will probably want to trust DLV secured
>> data until authentication paths up to the root become more prevalent in
>> all corners of the DNS.
>
>
> The only thing i want to do at the moment is serve my local zone to my
> local clients. If i do
>
> % dig @dns +dnssec rosa.physik-pool.tu-berlin.de
>
> i get
>
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4,
> ADDITIONAL: 3
>
> and also i can see the D0 bit set when looking at the tcpdump. If i now
> use the stub resolver through telnet/ssh the D0 bit does _not_ get set
> in the query. So there is no way for the recursive NS to supply AD data,
> right ?
That is correct, sorry. If the stub doesn't request DNSSEC enabled (via the
DO bit), then the resolver will not return the validation bit. :(
I did a little bit of googling, and found these instructions but I have not
tried any of this myself:
https://www.dnssec-tools.org/svn/dnssec-tools/trunk/htdocs/readme/README.ssh
(Look under the "Requirements" section)
There seemed to be a lot of people suggesting that opening bug reports will
prompt more attention to this.
>
> thanks for helping the blind.
Not at all! :)
Eric
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
