[PATCH] Use canonical hostname for DNS SSHFP lookup

Damien Miller djm at mindrot.org
Fri Apr 1 11:47:13 EST 2011

On Mon, 29 Nov 2010, Damien Miller wrote:

> On Sun, 28 Nov 2010, Jan Andres wrote:
> > In the current implementation, ssh always uses the hostname supplied by
> > the user directly for the SSHFP DNS record lookup. This causes problems
> > when using the domain search path, e.g. I have "search example.com" in my 
> > resolv.conf and then do a "ssh host", I will connect to host.example.com,
> > but ssh will query the DNS for an SSHFP record of "host.", not
> > "host.example.com.".
> > 
> > The patch below attempts to fix this issue by having getaddrinfo()
> > return the canonical host name from the lookup, and passes this on so it
> > can be used in the SSHFP record query.
> > 
> > As a side-effect, the patch will completely suppress the SSHFP lookup if
> > establishing an SSH1 connection, as RSA1 keys cannot be stored in SSHFP
> > records anyway.
> > 
> > The getaddrinfo() implementation in openbsd-compat/fake-rfc2553.c is
> > also updated to support the AI_CANONNAME flag.
> > 
> > I don't use OpenBSD, so the patch was prepared against the latest
> > snapshot of the portable OpenSSH version. Sorry if this causes any
> > inconvenience.
> I looked at this a while ago and rejected this approach as trusting the
> DNS too much. See the thread "Re: Question about host certificates" on
> this list from mid-June this year.
> What we really (IMHO) need is better feedback from the local resolver as
> to how it transformed the name before external resolution.
> There is a hackish workaround for recent OpenSSH - in ~/.ssh/config you
> can do:
> Hostname *.* *:* :*
> 	Hostname %h
> Hostname *
> 	Hostname %h.your.domain.com

I have just learned that Windows 7 has a flag that does exactly what we
need here: AI_FQDN. This is its description:

> If the AI_FQDN is set and a flat name (single label) is specified,
> GetAddrInfoW will return the fully qualified domain name that the name
> eventually resolved to. The fully qualified domain name is returned in
> the ai_canonname member in the associated addrinfoW structure. This
> is different than AI_CANONNAME bit flag that returns the canonical
> name registered in DNS which may be different than the fully qualified
> domain name that the flat name resolved to. Only one of the AI_FQDN
> and AI_CANONNAME bits can be set. The GetAddrInfoW function will fail
> if both flags are present with EAI_BADFLAGS.

Now we just need the Unix variants to follow...


More information about the openssh-unix-dev mailing list