[Bug 1320] New: Add support for ldns
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Mon Jun 11 23:54:51 EST 2007
http://bugzilla.mindrot.org/show_bug.cgi?id=1320
Summary: Add support for ldns
Product: Portable OpenSSH
Version: -current
Platform: Other
OS/Version: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: ssh
AssignedTo: bitbucket at mindrot.org
ReportedBy: svallet at genoscope.cns.fr
Created an attachment (id=1301)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1301)
Patch against CVS
trying to make use of SSHFP records (RFC 4255) to publish host key
fingerprints in the DNS, we're stumbling on some issues.
It appears some non-OpenBSD platforms don't support DNSSEC in the
native
resolver (e.g. glibc), which renders such a setup quite useless,
since openssh correctly requires the RRs to be signed and validated.
The following patch adds support for ldns, an external resolver
library, with the following functionality:
- Set DO on the SSHFP query
- Support AD if the answer comes from a validating resolver
- Support autonomous validation using a configured trust anchor in case
the answer is not marked as authentic.
It depends on the SVN version of ldns (revision 2345), which is
available
there: http://www.nlnetlabs.nl/ldns/
The patch is against current CVS (and needs a minor adjustment to
config.h.in, which does not seem to be under version control)
Simon
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list