[PATCH] Add support for ldns

Simon Vallet svallet at genoscope.cns.fr
Tue May 29 19:01:30 EST 2007


nobody on this one ?

I really think autonomous signature validation capabilities are a useful
feature in an ssh client. In a mobile scenario, simply trusting the next
DNS hop seems only marginally better as having no signed records at all.

I'm willing to spend more time on this patch if necessary, so any
feedback is welcome

Simon

On Mon, 21 May 2007 15:55:07 +0200
Simon Vallet <svallet at genoscope.cns.fr> wrote:

> Hi,
> 
> as discussed before, we're trying to make use of SSHFP records (RFC
> 4255) to publish host key fingerprints in the DNS.
> 
> However, some non-OpenBSD platforms don't support DNSSEC in the native
> resolver (e.g. glibc), which renders the whole thing quite useless,
> since openssh correctly requires the RRs to be signed and validated.
> 
> The following patch adds support for ldns, an external resolver
> library, with the following functionality:
> - Set DO on the SSHFP query
> - Support AD if the answer comes from a validating resolver 
> - Support autonomous validation using a configured trust anchor in case
> the answer is not marked as authentic.
> 
> It depends on the SVN version of ldns (revision 2345), which is available 
> there: http://www.nlnetlabs.nl/ldns/


More information about the openssh-unix-dev mailing list