[PATCH] Add support for ldns
dtucker at zip.com.au
Tue Jun 5 00:16:39 EST 2007
Simon Vallet wrote:
> nobody on this one ?
Sorry for the delay. I started looking at this and then got sidetracked
> I really think autonomous signature validation capabilities are a useful
> feature in an ssh client. In a mobile scenario, simply trusting the next
> DNS hop seems only marginally better as having no signed records at all.
> I'm willing to spend more time on this patch if necessary, so any
> feedback is welcome
I have no objection to this in principle. LDNS seems to be under a
3-clause BSD style license so there's no potential license hassles.
About the patch itself, I would probably wait until the required
features make it into a released version of the software so there's more
likelihood of the interface being stable. I would also like someone
more familiar with DNSSEC than me to sanity check it.
You added the additional functionality to one of the files that we try
to keep in sync with its OpenBSD counterpart, so that's a potential
maintenance hassle. I think it would be better in its own file, which
according to the existing convention would be bsd-getrrsetbyname.c.
Also, I'm not wild about the use of debug() calls in the compat library
but I can see why you've used them. We try to avoid them in code that
replaces library functions so the code is usable in other things.
There's also a few style nits (lines >80 chars, indentation, spaces
instead of tabs). Nothing major, but if you haven't already then please
read http://www.openbsd.org/cgi-bin/man.cgi?query=style .
> On Mon, 21 May 2007 15:55:07 +0200
> Simon Vallet <svallet at genoscope.cns.fr> wrote:
>> as discussed before, we're trying to make use of SSHFP records (RFC
>> 4255) to publish host key fingerprints in the DNS.
>> However, some non-OpenBSD platforms don't support DNSSEC in the native
>> resolver (e.g. glibc), which renders the whole thing quite useless,
>> since openssh correctly requires the RRs to be signed and validated.
>> The following patch adds support for ldns, an external resolver
>> library, with the following functionality:
>> - Set DO on the SSHFP query
>> - Support AD if the answer comes from a validating resolver
>> - Support autonomous validation using a configured trust anchor in case
>> the answer is not marked as authentic.
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev