feature request: modify getrrsetbyname() to use libunbound
Ondřej Caletka
ondrej at caletka.cz
Wed May 9 17:50:22 EST 2012
Dne 9.5.2012 06:20, Luca Filipozzi napsal(a):
> That said, it seems rather cumbersome to have users install a local
> caching resolver in order to secure the last mile of DNS queries (who
> trusts their ISP, after all), so we postulated whether it would be
> possible to modify openssh such that the ssh client could perform the
> queries itself.
Wouldn't it be done by just adding trust anchor to current ldns
resolving code? It looks like there is already some kind of autonomous
validation attempt in getrrsetbyname-ldns.c:
/* Check for authenticated data */
if (ldns_pkt_ad(pkt)) {
rrset->rri_flags |= RRSET_VALIDATED;
} else { /* AD is not set, try autonomous validation */
ldns_rr_list * trusted_keys = ldns_rr_list_new();
Regards,
Ondřej Caletka
More information about the openssh-unix-dev
mailing list