[Bug 3966] CNAME canonicalisation fails to map replacement hostnames to lower-case

Sun May 31 16:05:52 AEST 2026

https://bugzilla.mindrot.org/show_bug.cgi?id=3966

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
             Blocks|                            |3942
                 CC|                            |djm at mindrot.org
         Resolution|---                         |FIXED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Thanks for the report. AIUI the system resolver is meant to hide
DNS0x20 randomisation from applications, but if that is not happening
on real systems then we need to work around it.

I've applied your fix and it will be in openssh-10.4, due in the next
couple of months.

Thanks

---
commit df18979e1137f41a3ffa25f9d06c4fc55073cb34 (HEAD -> master,
origin/master, origin/HEAD)
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun May 31 05:55:21 2026 +0000

    upstream: DNS0x20[1] can randomise the case of domain names
returned by

    lookup to force some more uniqueness in queries to reduce the
likelihood of
    spoofing attacks succeeding.

    Normally this should be hidden from the user by the resolver, but
    in some cases it can leak through. When it does, it can mess up
    ssh's CanonicalizePermittedCNAMEs.

    Fix this by forcing the name we received from the system resolver
to
    lowercase.

    bz3966, report and fix by Martin D Kealey

    [1]
https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00

    OpenBSD-Commit-ID: e0b300d3b3af289e053d928380af71949f95bfb0

Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3942
[Bug 3942] Tracking bug for openssh-10.4
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.