[Bug 3966] New: CNAME canonicalisation fails to map replacement hostnames to lower-case

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun May 31 12:30:04 AEST 2026 

https://bugzilla.mindrot.org/show_bug.cgi?id=3966

            Bug ID: 3966
           Summary: CNAME canonicalisation fails to map replacement
                    hostnames to lower-case
           Product: Portable OpenSSH
           Version: 10.0p2
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: m at mindrot.fwd.xmk.au

As far as I can tell, this issue has existed since the hostname
canonicalisation framework was added, and is still unresolved in the
newest release.

CanonicalizePermittedCNAMEs is really useful when one has to deal with
a whole-of-domain transition managed by a single DNAME DNS record.

For backwards compatibility, the authoritative nameserver usually
returns synthesised CNAMEs, and when resolvers randomise the case of
names in forwarded queries to reduce the likelihood of DNS cache
poisoning, the resulting randomised case gets returned in the
synthesised CNAME records that get returned to the DNS client (the ssh
program in this case).

This results in mismatches when expansions such as %h or %C are used in
contexts that are case-sensitive, especially filenames (including
AF_LOCAL sockets) and key lookups.

My ~/.ssh/config has something approximating this:

```
 Host *.old.domain
  CanonicalizeHostname yes
  CanonicalizePermittedCNAMEs *:*.new.domain

 # Make sure we can ssh to critical servers when DNS is down
 Host criticaldnsserver.new.domain 5.6.7.8
  HostKeyAlias criticaldnsserver.new.domain
  Hostname 5.6.7.8

 Host *
  ControlMaster auto
  ControlPath /run/$UID/ssh_session/%r@%k:%p.sock
  IdentityFile ~/.ssh/keys/%r@%k
  StrictHostKeyChecking yes
```

The problem is that `ssh criticaldnsserver.old.domain` does not work
cleanly, because:
 (a) there's no identity file named
~/.ssh/keys/me at CriTicaLdNSSeRvEr.new.domain, and
 (b) ~/.ssh/known_hosts doesn't contain an entry that matches
CriTicaLdNSSeRvEr.new.domain.

I think this would be resolved by:

```
# git diff
diff --git a/ssh.c b/ssh.c
index 531f28eb2..805c41e6d 100644
--- a/ssh.c
+++ b/ssh.c
@@ -399,6 +399,7 @@ check_follow_cname(int direct, char **namep, const
char *cname)
                    "\"%s\" => \"%s\"", *namep, cname);
                free(*namep);
                *namep = xstrdup(cname);
+               lowercase(*namep);
                return 1;
        }
        return 0;
```

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list