feature request: modify getrrsetbyname() to use libunbound
Robert Story
rstory at tislabs.com
Wed May 9 22:50:21 EST 2012
On Wed, 9 May 2012 16:41:32 +1000 Darren wrote:
DT> On Wed, May 09, 2012 at 04:20:33AM +0000, Luca Filipozzi wrote:
DT> [...]
DT> > We propose that openssh be modified as follows:
DT> >
DT> > (1) introduce a new ssh_config directive: UnboundConfigurationFile
DT> >
DT> > (2) modify getrrsetbyname() such that, if UnboundConfigurationFile is
DT> > set, then the unbound resolver is used; if not, then libc
DT> >
DT> > (3) provide a default unbound configuration
DT> > in /etc/ssh/ssh_unbound_conf
DT>
DT> OK, here's my opinion:
DT> - I am OK with adding support for libunbound (we already have
DT> compile-time support for an alternate resolver, ldns), however
There is also a patch that I submitted back in 2009 to use libval from
DNSSEC-Tools to do local validation. Any chance of getting that accepted?
The last time I updated it was for 5.8, but I'd be glad to update it for
6.0 if there's a chance it will be accepted.
https://bugzilla.mindrot.org/show_bug.cgi?id=1672
We also added a new option, AutoAnswerValidatedKeys, to (optionally)
automatically accept new keys which match a DNSSEC validated sshfp record.
And we always do the validation in the library, and do not ever trust the
AD bit from remote resolvers.
Robert
--
Senior Software Engineer
SPARTA, Inc., a Parsons Company
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20120509/155a7baf/attachment.bin>
More information about the openssh-unix-dev
mailing list