[Openswan Users] DNSSEC opportunistic encryption: just a beautiful dream?

Paul Wouters pwouters at redhat.com
Sun Mar 11 12:59:04 EDT 2012

On Sun, 11 Mar 2012, Niccolò Belli wrote:

> Il 11/03/2012 17:45, Paul Wouters ha scritto:
>> I am not
>> sure what you otherwise would be thinking of?
> I want to encrypt just the path between the local gateway and the remote 
> servers, such a way packets will travel in clear in the local network but 
> encrypted as soon as they reach the internet.

You mean just a lan to lan connection? That is not what we call "OE".

> By the way:
> Mar 11 17:48:22 nameserver named[727]: validating @0x7f3e4e7a9900: 
> fedoraproject.org A: no valid signature found

It works fine for me here:

[paul at thinkpad openswan.git]$ dig +dnssec fedoraproject.org

; <<>> DiG 9.9.0-RedHat-9.9.0-1.fc17 <<>> +dnssec fedoraproject.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46659
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags: do; udp: 4096
;fedoraproject.org.		IN	A

fedoraproject.org.	60	IN	A
fedoraproject.org.	60	IN	A
fedoraproject.org.	60	IN	RRSIG	A 5 2 60 20120410153043
20120311153043 7725 fedoraproject.org.
X11TvlHqf2Ou5a1benKodvbQvsOZcla9n6tt9Jmj8lYyApSoKjBJ7nzN 58o=

Note the AD bit that says it is validated.


shows no issues either.

Note that you need DLV enabled because fedora's registrar does not
support DNSSEC yet.


More information about the Users mailing list