[PATCH] Add support for ldns

Darren Tucker dtucker at zip.com.au
Tue Jun 5 00:16:39 EST 2007 

Simon Vallet wrote:
> nobody on this one ?

Sorry for the delay.  I started looking at this and then got sidetracked 
(as usual).

> I really think autonomous signature validation capabilities are a useful
> feature in an ssh client. In a mobile scenario, simply trusting the next
> DNS hop seems only marginally better as having no signed records at all.
> 
> I'm willing to spend more time on this patch if necessary, so any
> feedback is welcome

I have no objection to this in principle.  LDNS seems to be under a 
3-clause BSD style license so there's no potential license hassles.

About the patch itself, I would probably wait until the required 
features make it into a released version of the software so there's more 
likelihood of the interface being stable.  I would also like someone 
more familiar with DNSSEC than me to sanity check it.

You added the additional functionality to one of the files that we try 
to keep in sync with its OpenBSD counterpart, so that's a potential 
maintenance hassle.  I think it would be better in its own file, which 
according to the existing convention would be bsd-getrrsetbyname.c.

Also, I'm not wild about the use of debug() calls in the compat library 
but I can see why you've used them.  We try to avoid them in code that 
replaces library functions so the code is usable in other things.

There's also a few style nits (lines >80 chars, indentation, spaces 
instead of tabs).  Nothing major, but if you haven't already then please 
read http://www.openbsd.org/cgi-bin/man.cgi?query=style .

> Simon
> 
> On Mon, 21 May 2007 15:55:07 +0200
> Simon Vallet <svallet at genoscope.cns.fr> wrote:
> 
>> Hi,
>>
>> as discussed before, we're trying to make use of SSHFP records (RFC
>> 4255) to publish host key fingerprints in the DNS.
>>
>> However, some non-OpenBSD platforms don't support DNSSEC in the native
>> resolver (e.g. glibc), which renders the whole thing quite useless,
>> since openssh correctly requires the RRs to be signed and validated.
>>
>> The following patch adds support for ldns, an external resolver
>> library, with the following functionality:
>> - Set DO on the SSHFP query
>> - Support AD if the answer comes from a validating resolver 
>> - Support autonomous validation using a configured trust anchor in case
>> the answer is not marked as authentic.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list