[Bug 1320] New: Add support for ldns

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Jun 11 23:54:51 EST 2007


http://bugzilla.mindrot.org/show_bug.cgi?id=1320

           Summary: Add support for ldns
           Product: Portable OpenSSH
           Version: -current
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: ssh
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: svallet at genoscope.cns.fr


Created an attachment (id=1301)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1301)
Patch against CVS

trying to make use of SSHFP records (RFC 4255) to publish host key
fingerprints in the DNS, we're stumbling on some issues.

It appears some non-OpenBSD platforms don't support DNSSEC in the
native
resolver (e.g. glibc), which renders such a setup quite useless,
since openssh correctly requires the RRs to be signed and validated.

The following patch adds support for ldns, an external resolver
library, with the following functionality:
- Set DO on the SSHFP query
- Support AD if the answer comes from a validating resolver 
- Support autonomous validation using a configured trust anchor in case
the answer is not marked as authentic.

It depends on the SVN version of ldns (revision 2345), which is
available 
there: http://www.nlnetlabs.nl/ldns/

The patch is against current CVS (and needs a minor adjustment to
config.h.in, which does not seem to be under version control)

Simon


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list