[Bug 2119] New:=?UTF-8?Q?=20SSHFP=20with=20DNSSEC=20=E2=80=93=20no=20trust=20anchors=20given?=, validation always fails

[bugzilla-daemon at mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=2119

            Bug ID: 2119
           Summary: SSHFP with DNSSEC – no trust anchors given, validation
                    always fails
           Product: Portable OpenSSH
           Version: 6.2p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: grawity at gmail.com

The ldns DNS resolver, as used by openbsd-compat/getrrsetbyname-ldns.c,
always fails to verify the DNSSEC signatures:

debug3: verify_host_key_dns
debug2: ldns: got 6 answers from DNS
debug2: ldns: trying to validate RRset
debug2: ldns: got 1 signature(s) (RRTYPE 46) from DNS
debug2: ldns: RRset validation failed: General LDNS error
debug1: found 6 insecure fingerprints in DNS

The problem is that ldns is not being given any trust anchor, so it
defaults to an empty list and automatically fails. This makes the ldns
support useless when used standalone (i.e. when the resolver doesn't
set the AD bit).

Either ldns or OpenSSH should be changed to read the default root key –
see read_key_file() in ldns source (ldns defines LDNS_TRUST_ANCHOR_FILE
as "/etc/unbound/root.key" but doesn't use it automatically).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.