[PATCH] Use canonical hostname for DNS SSHFP lookup
Dan Kaminsky
dan at doxpara.com
Mon Nov 29 02:32:56 EST 2010
On Sun, Nov 28, 2010 at 4:26 AM, Jan Andres <jandres at gmx.net> wrote:
> On Sun, Nov 28, 2010 at 03:37:56AM -0800, Dan Kaminsky wrote:
>> Presumably, a CNAME will be returned as the canonical name, meaning
>> you're asking the network what name to expect. That's generally quite
>> verboten. However, if we presume that SSHFP is wildly insecure anyway
>> without DNSSEC, then this might be OK, because end-to-end DNSSEC will
>> prevent a malicious CNAME from being accepted.
>
> Agreed. While ssh will request DNSSEC for the SSHFP record, and will only
> trust the key if DNSSEC is established, we do not know whether the same
> is true for the address lookup yielding the canonical name. Plus, there
> seems to be no portable way to get this information out of getaddrinfo().
>
> To get around this, I might suggest the following approach:
>
> - Instead of directly using the canonical name from getaddrinfo(),
> search for the SSHFP record using the normal domain search path.
>
> - Only if DNSSEC is established for the SSHFP lookup, AND it yields the
> same canonical name as the address lookup did, trust the fingerprint
> obtained from DNS.
>
> Would this be an acceptable approach?
Possibly. There's an *enormous* reckoning coming, as we figure out
how to actually deliver DNSSEC guarantees end-to-end (no, the AD bit
is not enough). I actually hadn't worked in the vagaries of search
lists and devolution, into how DNSSEC will operate...there's more than
a bit to figure out, before we can adequately answer what the correct
semantics here are.
More information about the openssh-unix-dev
mailing list