feature request: modify getrrsetbyname() to use libunbound
Luca Filipozzi
lfilipoz at emyr.net
Wed May 9 17:00:33 EST 2012
On Wed, May 09, 2012 at 08:08:47AM +0200, Peter Stuge wrote:
> Luca Filipozzi wrote:
> > We propose that openssh be modified as follows:
> >
> > (1) introduce a new ssh_config directive: UnboundConfigurationFile
>
> I don't think any SSH configuration directives should be tied to a
> specific implementation of anything outside the SSH domain.
Fair enough. I'm more interested in achieving good DNSSEC behaviour
than I am in introducing unbound-specific configuration directives.
> > (3) provide a default unbound configuration in /etc/ssh/ssh_unbound_conf
>
> What needs to be set in that config? I think adding DNSSEC-related
> directives to ssh_config and perhaps also sshd_config would be more
> in line with the rest of the configuration directives.
The patch that I attached uses ub_ctx_config(<filename>), which laods
an unbound-specific configuration. It was an attempt to limit the
number of ssh_config directives that might be needed.
I expect that we will need at least two directives:
(1) something that specifies the root anchor to prime DNSSEC
DNSSECRootAnchorFile <filename>
and/or
DNSSECRootAnchor <string>
(2) something that sets edns0 buffer size to deal with broken networks
ExtendedDNSBufferSize <string>
Both of these are DNSSEC-general rather than unbound-specific.
> Hopefully configuration can be given also programatically to
> libunbound, so that OpenSSH could use the same configuration
> directives regardless of which resolver library is used.
Absolutely.
We can use ub_ctx_add_ta(<string>) or ub_ctx_add_file(<filename>) for
the first one.
We can use ub_ctx_set_option("edns_buffer_size", <string>) for the
second.
I'm happy to move in this direction.
--
Luca Filipozzi
More information about the openssh-unix-dev
mailing list