[Openswan Users] DNSSEC opportunistic encryption: just a beautiful dream?
Paul Wouters
pwouters at redhat.com
Sun Mar 11 12:59:04 EDT 2012
On Sun, 11 Mar 2012, Niccolò Belli wrote:
> Il 11/03/2012 17:45, Paul Wouters ha scritto:
>> I am not
>> sure what you otherwise would be thinking of?
>
> I want to encrypt just the path between the local gateway and the remote
> servers, such a way packets will travel in clear in the local network but
> encrypted as soon as they reach the internet.
You mean just a lan to lan connection? That is not what we call "OE".
> By the way:
> Mar 11 17:48:22 nameserver named[727]: validating @0x7f3e4e7a9900:
> fedoraproject.org A: no valid signature found
It works fine for me here:
[paul at thinkpad openswan.git]$ dig +dnssec fedoraproject.org
; <<>> DiG 9.9.0-RedHat-9.9.0-1.fc17 <<>> +dnssec fedoraproject.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46659
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;fedoraproject.org. IN A
;; ANSWER SECTION:
fedoraproject.org. 60 IN A 80.239.156.214
fedoraproject.org. 60 IN A 209.132.181.15
fedoraproject.org. 60 IN RRSIG A 5 2 60 20120410153043
20120311153043 7725 fedoraproject.org.
Tnkpv6lKEn1vwp2b72t1+fpX+uCeztB69bD2aO8chaEB9NzorlyYkSPY
UwSKFzMUrYzJtAfsJpws8htircQJIg/ulZ5h3ojfCjYFHToYaJknlZ4t
X11TvlHqf2Ou5a1benKodvbQvsOZcla9n6tt9Jmj8lYyApSoKjBJ7nzN 58o=
Note the AD bit that says it is validated.
http://dnssec-debugger.verisignlabs.com/fedoraproject.org
shows no issues either.
Note that you need DLV enabled because fedora's registrar does not
support DNSSEC yet.
Paul
More information about the Users
mailing list