DSA Fingerprints...

Wesley Griffin wgriffin at tislabs.com
Thu Feb 8 09:13:44 EST 2001


* Damien Miller <djm at mindrot.org> [02/07/01 16:32]:
> On Wed, 7 Feb 2001, Darren Moffat wrote:
> 
> > >	Last question...  Given SecureDNS as a predicate (ok...  Oxymoron
> > >with most of the DNS out there, but I have several in several zones.) and
> > >given that we can publish keys in the DNS, can OpenSSH use them to validate
> > >the host keys?  I can do with with FreeS/WAN (Linux IPSec) where I specify
> > >to use the host public key from DNS, I was just wondering if that is
> > >possible or planned for SSH as well.  For zones under my total control,
> > >that simplifies my host key management immensely (which is a point in
> > >the KS paper).
> > 
> > Currently under discussion in the IETF working group just now as
> > 
> > draft-griffin-ssh-host-keys-in-dns-00.txt
> > 
> > Got to www.ietf.org to get a copy of the text
> 
> I don't know if it is related, but these guys have a working implementation
> of OpenSSH with DNSSEC key retrieval:
> 
> http://www.cs.jhu.edu/~smang/sshproject.html

No, its not related, and I haven't had a chance to look at their code.
We're still looking at different ways to do DNSSEC key retrieval with
OpenSSH. In our first iteration, we did full DNSSEC verification in the
client. It was very messy and not easy to do. Currently we're looking at
using BIND9 to do the verification and using TSIG in the ssh client to
verify the nameserver query and response. At some point I'm hoping to
have some patches to submit that could be considered for inclusion.

-- 
Wesley Griffin                                                  NAI Labs
wgriffin at tislabs.com                                        443.259.2388





More information about the openssh-unix-dev mailing list