[Bug 2119]=?UTF-8?Q?=20SSHFP=20with=20DNSSEC=20=E2=80=93=20no=20trust=20anchors=20given?=, validation always fails

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Sep 30 18:56:01 AEST 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2119

scott-mindrot at shambarger.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |scott-mindrot at shambarger.ne
                   |                            |t

--- Comment #2 from scott-mindrot at shambarger.net ---
I encountered this error using openssh on macports... here's my
analysis of the situation (modified from my macports bug)

ssh performs SSHFP fingerprint lookup when VerifyHostKeyDNS is yes or
ask.

Configured with --with-ldns, ssh support validating the SSHFP with
DNSSEC.  SSHFP of host keys validated this way are implicitly trusted. 
If the resolver has DNSSEC validation, and sets the AD bit on the DNS
response, ldns will mark the SSHFP valid without further work.  If the
resolver does not support DNSSEC, or is authoritative for the domain
(eg internal DNS), then ldns must perform the validation locally (the
AD bit is not set).  For this, ldns needs a trust anchor.

I couldn't find anything in the ldns documentation, but the code in
ldns/resolver.c looks for the keyword "anchor" in /etc/resolv.conf to
locate a file containing a DS or DNSKEY RR, and loads it as a trust
anchor.  Without a trust anchor, local DNSSEC validation always fails.

Adding the "anchor" field to resolv.conf allows ldns validation to
succeed.  However, OSX re-creates resolv.conf from scutil's DNS config
whenever the network changes... edits to /etc/resolv.conf are lost.

The only solution to get ldns validation to work on OSX is to add a
trust anchor from a specific file (at least when it is needed for local
validation)

I've created a patch to do this... I chose a "well-known" file location
for the trust anchor, /etc/trusted-key.key (used by dig, freeipa, etc).
 The other option was drill's default: /etc/unbound/root.key, but that
seemed rather "unbound specific."

I plan to modify my macports patch to include a configure option for
the location of the trusted key file (and make it more general).  Not
sure if I should update the patch to put a note in the man page...

Log of ssh -vv host with the patch applied (note: the macports patch
looks for anchors in two locations atm):

debug2: ldns: got 4 answers from DNS
debug2: ldns: attempt to load trust anchor from file
/etc/trusted-key.key
debug2: ldns: new anchor added to trust chain
debug2: ldns: attempt to load trust anchor from file
/opt/local/etc/trusted-key.key
debug2: ldns: file not found
debug2: ldns: trying to validate RRset
debug2: ldns: got 1 signature(s) (RRTYPE 46) from DNS
debug2: ldns: RRset is signed with a valid key
debug1: found 4 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS

I'm not sure which version I should supply the patch for... currently
it's against openssh 6.9p1.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list