[Bug 1672] add local DNSSEC validation

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Oct 21 02:11:27 EST 2010


jarrod.b.johnson+osb at gmail.com changed:

           What    |Removed                     |Added
                 CC|                            |jarrod.b.johnson+osb at gmail.
                   |                            |com

--- Comment #2 from jarrod.b.johnson+osb at gmail.com 2010-10-21 02:11:27 EST ---
I would like to see this baked into OpenSSH as well.  As it stands, the
DNSSEC support for SSHFP has two critical gaps as far as I can tell:

-No protection for DNS hijacking between client and closest DNS server
(e.g. most home users point at an ISP DNS server, so anyone with access
to the ISP network can trick DNSSEC validated SSHFP records even
without compromising the security of DNSSEC)

-The inability to cleanly deal with the case where local nameserver is
authoritative.  The AD bit won't be set if AA is set.  If I'm using a
local DNS server as a repository for SSHFP records, I cannot use this
infrastructure to help scripted execution of ssh as it stands since it
will receive authoritative, but not validated data.  Commonly, a
resolver on localhost can close the gap for most cases, but the problem
of executing ssh from the DNS server itself is problematic.

Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list