holy hell this OS f'ckin rocks. so i waste a day and a half because i forgot to do a 'dnssec-enable yes;' in named.conf, totally my fault.
after i turn that on and setup named and my keys/zones right ( or unbreak them, after the day and a half of barking up the wrong tree... ), i find i have DNSSEC working for my SSHFP records, as tested by dig ( i have 'ad' in the reply, and i get RRSIG records printed in my Answer Sections ). ssh, otoh, is still saying to me "found <NUM> insecure fingerprints in DNS". i spend more time on it and read [1], and get to thinking, ok, how the hell does ssh know if my resolver verified the SSHFP/RRSIG/DNSSEC crap or not? i thought it has to be in the data given back to ssh by the resolver. so i peek in /usr/src/usr.sbin/dns.c, and find the verify_host_key_dns function (?) and see it does some error checking and then it runs 'getrrsetbyname' so, what the hell i say, 'man getrrsetbyname'. oh. look. there's a manpage. so in getrsetbyname(3) i find: --- If the EDNS0 option is activated in resolv.conf(5), getrrsetbyname() will request DNSSEC authentication using the EDNS0 DNSSEC OK (DO) bit. --- ok, so i check resolv.conf(5) and find: --- options Allows certain internal resolver variables to be modified. The syntax is: options option ... where option is one of the following: debug Sets RES_DEBUG in _res.options. edns0 attach OPT pseudo-RR for ENDS0 extension specified in RFC 2671, to inform DNS server of our receive buffer size. The option will allow DNS servers to take advantage of non-default receive buffer size, and to send larger replies. DNS query packets with EDNS0 extension are not compatible with non- EDNS0 DNS servers. The option must be used only when all the DNS servers listed in nameserver lines are able to handle EDNS0 extension. <...> The options keyword of a system's resolv.conf or resolv.conf.tail file can be amended on a per-process basis by setting the environment variable RES_OPTIONS to a space-separated list of resolver options as explained above. --- so i 'export RES_OPTIONS=edns0' and then: --- $ ssh -vo verifyhostkeydns\ yes hk4801.hklocal.nodeless.net OpenSSH_4.2, OpenSSL 0.9.7g 11 Apr 2005 <...> debug1: found 1 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS --- ! thank you Jakob Schlyter [1] - http://www.ietf.org/internet-drafts/draft-ietf-secsh-dns-05.txt ( i checked ftp://ftp.win.tue.nl/pub/linux-local/manpages/man-pages-2.13.tar.gz and it doesn't seem to have getrrsetbyname(3), though perhaps it goes by a different name over there.. ? ) -- jared [ openbsd 3.8 GENERIC ( oct 15 ) // i386 ]