[PATCH] Use canonical hostname for DNS SSHFP lookup

Jan Andres jandres at gmx.net
Sun Nov 28 23:26:14 EST 2010


On Sun, Nov 28, 2010 at 03:37:56AM -0800, Dan Kaminsky wrote:
> Presumably, a CNAME will be returned as the canonical name, meaning
> you're asking the network what name to expect.  That's generally quite
> verboten.  However, if we presume that SSHFP is wildly insecure anyway
> without DNSSEC, then this might be OK, because end-to-end DNSSEC will
> prevent a malicious CNAME from being accepted.

Agreed. While ssh will request DNSSEC for the SSHFP record, and will only
trust the key if DNSSEC is established, we do not know whether the same
is true for the address lookup yielding the canonical name. Plus, there
seems to be no portable way to get this information out of getaddrinfo().

To get around this, I might suggest the following approach:

- Instead of directly using the canonical name from getaddrinfo(),
  search for the SSHFP record using the normal domain search path.

- Only if DNSSEC is established for the SSHFP lookup, AND it yields the
  same canonical name as the address lookup did, trust the fingerprint
  obtained from DNS.

Would this be an acceptable approach?

Regards,
Jan

-- 
Jan Andres <jandres at gmx.net>


More information about the openssh-unix-dev mailing list