On Wed, 9 May 2012 16:41:32 +1000 Darren wrote: DT> On Wed, May 09, 2012 at 04:20:33AM +0000, Luca Filipozzi wrote: DT> [...] DT> > We propose that openssh be modified as follows: DT> > DT> > (1) introduce a new ssh_config directive: UnboundConfigurationFile DT> > DT> > (2) modify getrrsetbyname() such that, if UnboundConfigurationFile is DT> > set, then the unbound resolver is used; if not, then libc DT> > DT> > (3) provide a default unbound configuration DT> > in /etc/ssh/ssh_unbound_conf DT> DT> OK, here's my opinion: DT> - I am OK with adding support for libunbound (we already have DT> compile-time support for an alternate resolver, ldns), however There is also a patch that I submitted back in 2009 to use libval from DNSSEC-Tools to do local validation. Any chance of getting that accepted? The last time I updated it was for 5.8, but I'd be glad to update it for 6.0 if there's a chance it will be accepted. https://bugzilla.mindrot.org/show_bug.cgi?id=1672 We also added a new option, AutoAnswerValidatedKeys, to (optionally) automatically accept new keys which match a DNSSEC validated sshfp record. And we always do the validation in the library, and do not ever trust the AD bit from remote resolvers. Robert -- Senior Software Engineer SPARTA, Inc., a Parsons Company
Attachment:
signature.asc
Description: PGP signature