sshfp/ldns still having issues in 7.6

[Darren Tucker]

On 11 January 2018 at 07:12, Jonathan Duncan <jonathan at nacnud.com> wrote:
> I have been running openSSH 7.4p1 for a while now. When I upgraded to 7.5 a
> year or so ago I ran into the problem listed in this bug report:

Upgraded how?  Built yourself?  Configured with which options and
which version of LDNS?

> 7.4p1
>
> debug1: Server host key: ecdsa-sha2-nistp256 SHA256:<snip>
> debug3: verify_host_key_dns
> debug2: ldns: got 1 answers from DNS
> debug1: found 1 secure fingerprints in DNS

Note the "ldns:" line.  This one is built with LDNS.

> 7.6p1
>
> debug1: Server host key: ecdsa-sha2-nistp256 SHA256:<snip>
> debug3: verify_host_key_dns
> debug1: found 1 insecure fingerprints in DNS

Note the lack of the ldns: line.  I suspect this one is not built with
LDNS.  You can confirm this with ldd, you should see something like:

$ ldd ssh | grep ldns
libldns.so.2 => /usr/lib/libldns.so.2 (0xb7bfe000)

> The system I am testing on is running macOS 10.13.2 (High Sierra). Others
> in my office are getting the same problem and running a similar setup
> (though some are running macOS 10.12)
>
> Is this a bug still or is there possibly something else at play here?

I suspect it's something else.  I'd check config.h and your build logs
to make sure LDNS was actually enabled as you expect.

> Is anyone else having the same problem? (Is anyone else using SSHFP/DNSSEC?)

I just set up DNSSEC for my domain and built 7.6p1 with LDNS 1.7.0 and
(other than ldns-config wanting to link -lpython2.7 for some reason)
it worked.

$ ./ssh -vvv -o verifyhostkeydns=yes server | grep -i dns
debug3: verify_host_key_dns
debug2: ldns: got 6 answers from DNS
debug1: found 6 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.