feature request: modify getrrsetbyname() to use libunbound

Luca Filipozzi lfilipoz at emyr.net
Fri May 11 05:35:23 EST 2012


On Wed, May 09, 2012 at 05:41:37PM -0400, Robert Story wrote:
> On Wed, 9 May 2012 18:56:08 +0000 Luca wrote:
> LF> > Yes, which is why we prefer our DNSSEC-Tools libval patch, which
> LF> > always does local validation and does not depend on the AD flag.
> LF> > 
> LF> > 	https://bugzilla.mindrot.org/show_bug.cgi?id=1672
> 
> I just updated the patch for 6.0p1, in case anyone is interested in trying
> it.

Thanks very much.

> LF> (2) make use of Robert's DNSSEC-Tools-based implementation; could the
> LF> DNSSEC-Tools-specific implementation be moved from verify_host_key_dns()
> LF> to getrrsetbyname()?
> 
> We wanted to have the lowest impact possible, and only do DNSSEC for
> verifying sshfp records. If upstream is willing to accept optional
> validation of all records, we could do that too.

I'm in favour of encapsulating the libary-of-choice related code changes
into getrrsetbyname(), leaving only the OpenSSH configuration related
code changes in common openssh/openssh-portable code.

But before we invest more time in this effort, it would be helpful to
hear upstream's opinion regarding our request for anchored DNSSEC
validation to be built into openssh.

We don't want to trust on an upstream resolver's AD bit and we don't
want to require that users install a local resolver.  Do they concur?

-- 
Luca Filipozzi


More information about the openssh-unix-dev mailing list