[Bug 1299] Remove redefinition of _res in getrrsetbyname.c

[bugzilla-daemon at mindrot.org]

http://bugzilla.mindrot.org/show_bug.cgi?id=1299

           Summary: Remove redefinition of _res in getrrsetbyname.c
           Product: Portable OpenSSH
           Version: 4.5p1
          Platform: All
        OS/Version: NetBSD
            Status: NEW
          Keywords: patch
          Severity: major
          Priority: P2
         Component: ssh
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: cjs at cynic.net


Ssh won't use SSHFP fingerprints available via DNSSEC, because it
doesn't turn on DNSSEC to request them.

Around line 70 in openbsd-compat/getrrsetbyname.c, we have the
following:

    /* to avoid conflicts where a platform already has _res */
    #ifdef _res
    # undef _res
    #endif
    #define _res    _compat_res

    struct __res_state _res;

This defines a global, _compat_res, used only by OpenSSH (at least on
NetBSD), and makes _res be that instead of the "real" _res (however
that
might be defined on various platforms).

_res is used only in the getrrsetbyname function, which never
initializes it in any way, but tries to act as if it's using the real
_res. So it calls init_res every time:

        if ((_resp->options & RES_INIT) == 0 && res_init() == -1) {

and it never turns on DNSSEC, even when RES_USE_EDNS0 is set, since
it's
checking for it in the wrong place:

        if (_resp->options & RES_USE_EDNS0)
            _resp->options |= RES_USE_DNSSEC;

The fix is to remove the code that redefines _res, or at least #ifdef
it for only those platforms that need this for some reason.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.