Hello Russell, russell aspinwall <raspinw...@willows7.myzen.co.uk> writes: > > Could libresolv be modified so that it would permit the following > directives in /etc/resolv.conf. > > dnssec enable - perform only DNSSEC queries (default > mode of operation if no directive supplied) > > dnssec disable - disable DNSSEC queries > > dnssec warn - warn about DNSSEC queries which are > not authenticated > > dnssec ignore - ignore DNSSEC queries which are not > authenticated > > dnssec trust <zone> | <zone1> .... <zoneN> - trust non DNSSEC > signed (non public) internal zones only
the OS stub resolver (libc) does not perform DNSSEC validation. Without DNSSEC validation, it does not make much sense to send DNSSEC (DO flag) queries. You could install BIND as a DNSSEC validating resolver on your clients, then you have a DNSSEC validation on the client. If you enable DNSSEC validation on the local smart resolver (the BIND caching DNS in your network), this DNSSEC validation enabled smart resolver will query for DNSSEC information and will validate the DNSSEC information if there is a "chain of trust" towards a trust anchor. Should the DNSSEC validation fails, all clients will be protected, because the caching smart resolver will return only "SERVFAIL" to the clients, but not the (possibly spoofed) DNS data. I have seen special patched Linux resolver code that implements DNSSEC validation in the OS smart resolver, but I'm not sure if someone has ported that to OpenIndiana/Solaris. See also <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679828> for a similar discussion. This project might implement what you are looking for (I haven't tested it) <https://github.com/edmonds/nss-ubdns> The only OS to my knowledge that can be configured to ignore non authenticated replies (AD flag missing) from a local smart resolver is Windows 7/8. That requires an IPSec tunnel to be build between the client and the smart resolver (done automatically in Ad environments with this configuration) to create a trusted path between the client and the smart resolver. Also the clients are provisioned (via GPO) with a list of DNSSEC signed domains that must always validate. -- Carsten _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
