[Bug 2119] New:=?UTF-8?Q?=20SSHFP=20with=20DNSSEC=20=E2=80=93=20no=20trust=20anchors=20given?=, validation always fails
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sun Jun 9 18:39:44 EST 2013
https://bugzilla.mindrot.org/show_bug.cgi?id=2119
Bug ID: 2119
Summary: SSHFP with DNSSEC – no trust anchors given, validation
always fails
Product: Portable OpenSSH
Version: 6.2p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: grawity at gmail.com
The ldns DNS resolver, as used by openbsd-compat/getrrsetbyname-ldns.c,
always fails to verify the DNSSEC signatures:
debug3: verify_host_key_dns
debug2: ldns: got 6 answers from DNS
debug2: ldns: trying to validate RRset
debug2: ldns: got 1 signature(s) (RRTYPE 46) from DNS
debug2: ldns: RRset validation failed: General LDNS error
debug1: found 6 insecure fingerprints in DNS
The problem is that ldns is not being given any trust anchor, so it
defaults to an empty list and automatically fails. This makes the ldns
support useless when used standalone (i.e. when the resolver doesn't
set the AD bit).
Either ldns or OpenSSH should be changed to read the default root key –
see read_key_file() in ldns source (ldns defines LDNS_TRUST_ANCHOR_FILE
as "/etc/unbound/root.key" but doesn't use it automatically).
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list