[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#572049: please support dnssec for sshfp lookups



Package: openssh-client

Hi,

now that eglibc supports RES_USE_DNSSEC in experimental (cf #569592),
the version which - AIUI - should eventually end up in squeeze, it would
be nice if Debian's ssh client could make use of that when resolving a
host's sshfp record.

Fedora has a small patch against openssh's dns code at
https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup

When this patch is applied to ssh and ssh is built against a 2.11 glibc,
then ssh will no longer prompt for verification of ssh hostkeys if they
are both secured by dnssec and the user selected to trust the dns (-o
VerifyHostKeyDNS=yes).

| [sid] weasel@intrepid:~$ ssh -vv -o VerifyHostKeyDNS=yes ravel.debian.org
..
| debug1: found 1 secure fingerprints in DNS
| debug1: matching host key fingerprint found in DNS
..

Please consider applying that patch, or doing whatever else is necessary
so that ssh makes proper use of sshfp records.

Thanks,
weasel



Reply to: