feature request: modify getrrsetbyname() to use libunbound

[Luca Filipozzi]

Dear OpenSSH Developers,

I'm a member of the Debian System Administration (DSA) team. [1]  We
manage the Debian Projects computing infrastructure.

Recently, DSA had the opportunity to address a member's request that we
begin using certificates to authenticate Debian Project machines to ssh
clients.  We provided a lengthy reply, the summary of which is "we
publish SSHFP records; use VerifyHostKeyDNS; set up a local caching
resolver to avoid MITM attacks".

That said, it seems rather cumbersome to have users install a local
caching resolver in order to secure the last mile of DNS queries (who
trusts their ISP, after all), so we postulated whether it would be
possible to modify openssh such that the ssh client could perform the
queries itself.

It turns out that this is quite straightforward to implement (see
preliminary patch, attached), entirely because you have have well
encapsulated the DNS query code.

Since we are quite concerned that our project members (let alone our
general user population) aren't managing their known_hosts in a secure
or timely manner, we are keen on using SSHFP records .. but only if the
DNSSEC last mile issue can be addressed in a relatively easy way for
users.

We propose that openssh be modified as follows:

(1) introduce a new ssh_config directive: UnboundConfigurationFile

(2) modify getrrsetbyname() such that, if UnboundConfigurationFile is
set, then the unbound resolver is used; if not, then libc

(3) provide a default unbound configuration in /etc/ssh/ssh_unbound_conf

In this way, the standard mode of operation for ssh remains unchanged by
default.  Users who would like to use SSHFP records in a secure manner
would set the configuration directive.

Please find attached a preliminary patch that modifies getrrsetbyname()
to use libunbound rather than libc.

We have proposed [2] this modification to the Debian openssh package
maintainers.  Knowing that they (and we, too, frankly) would prefer the
modification to be adopted by upstream, I've subscribed to the
openssh-unix-dev list to begin the discussion (I've carbon copied my DSA
colleagues and the openssh package maintainers so that they are aware).

If there is interest in this proposal, I would be pleased to work with
you to complete the patch.  (In the meantime, I'm using openssh patched
with libunbound on my macbook since OS/X's libc doesn't support DNSSEC.)

Thanks for your consideration,

Luca Filipozzi

[1] http://www.debian.org/intro/organization
[2] http://lists.debian.org/debian-ssh/2012/05/msg00004.html

-- 
Luca Filipozzi
Member, Debian System Administration Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh.diff
Type: text/x-diff
Size: 2654 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20120509/689f068e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20120509/689f068e/attachment-0001.bin>