[Openswan Users] DNSSEC opportunistic encryption: just a beautiful dream?
pwouters at redhat.com
Sun Mar 11 12:59:04 EDT 2012
On Sun, 11 Mar 2012, Niccolò Belli wrote:
> Il 11/03/2012 17:45, Paul Wouters ha scritto:
>> I am not
>> sure what you otherwise would be thinking of?
> I want to encrypt just the path between the local gateway and the remote
> servers, such a way packets will travel in clear in the local network but
> encrypted as soon as they reach the internet.
You mean just a lan to lan connection? That is not what we call "OE".
> By the way:
> Mar 11 17:48:22 nameserver named: validating @0x7f3e4e7a9900:
> fedoraproject.org A: no valid signature found
It works fine for me here:
[paul at thinkpad openswan.git]$ dig +dnssec fedoraproject.org
; <<>> DiG 9.9.0-RedHat-9.9.0-1.fc17 <<>> +dnssec fedoraproject.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46659
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;fedoraproject.org. IN A
;; ANSWER SECTION:
fedoraproject.org. 60 IN A 220.127.116.11
fedoraproject.org. 60 IN A 18.104.22.168
fedoraproject.org. 60 IN RRSIG A 5 2 60 20120410153043
20120311153043 7725 fedoraproject.org.
Note the AD bit that says it is validated.
shows no issues either.
Note that you need DLV enabled because fedora's registrar does not
support DNSSEC yet.
More information about the Users