Re: getrrsetbyname() doesn't set RES_USE_DNSSEC, preventing VerifyHostKeyDNS with OpenSSH

[Otto Moerbeek]

Hi,

And here a sketch of the AD bit approach, include the asr changes.
Largely untested and lacking docs and the localhost vs non-localhost
distinction.

        -Otto


Index: include/resolv.h
===================================================================
RCS file: /cvs/src/include/resolv.h,v
retrieving revision 1.22
diff -u -p -r1.22 resolv.h
--- include/resolv.h    14 Jan 2019 06:23:06 -0000      1.22
+++ include/resolv.h    18 Nov 2021 07:12:08 -0000
@@ -191,6 +191,7 @@ struct __res_state_ext {
 /* DNSSEC extensions: use higher bit to avoid conflict with ISC use */
 #define        RES_USE_DNSSEC  0x20000000      /* use DNSSEC using OK bit in 
OPT */
 #define        RES_USE_CD      0x10000000      /* set Checking Disabled flag */
+#define        RES_USE_AD      0x80000000      /* set Authentic Data flag */
 
 #define RES_DEFAULT    (RES_RECURSE | RES_DEFNAMES | RES_DNSRCH)
 
Index: lib/libc/asr/res_mkquery.c
===================================================================
RCS file: /cvs/src/lib/libc/asr/res_mkquery.c,v
retrieving revision 1.13
diff -u -p -r1.13 res_mkquery.c
--- lib/libc/asr/res_mkquery.c  14 Jan 2019 06:49:42 -0000      1.13
+++ lib/libc/asr/res_mkquery.c  18 Nov 2021 07:12:08 -0000
@@ -62,6 +62,8 @@ res_mkquery(int op, const char *dname, i
                h.flags |= RD_MASK;
        if (ac->ac_options & RES_USE_CD)
                h.flags |= CD_MASK;
+       if (ac->ac_options & RES_USE_AD)
+               h.flags |= AD_MASK;
        h.qdcount = 1;
        if (ac->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC))
                h.arcount = 1;
Index: lib/libc/asr/res_send_async.c
===================================================================
RCS file: /cvs/src/lib/libc/asr/res_send_async.c,v
retrieving revision 1.39
diff -u -p -r1.39 res_send_async.c
--- lib/libc/asr/res_send_async.c       28 Sep 2019 11:21:07 -0000      1.39
+++ lib/libc/asr/res_send_async.c       18 Nov 2021 07:12:08 -0000
@@ -378,6 +378,8 @@ setup_query(struct asr_query *as, const 
                h.flags |= RD_MASK;
        if (as->as_ctx->ac_options & RES_USE_CD)
                h.flags |= CD_MASK;
+       if (as->as_ctx->ac_options & RES_USE_AD)
+               h.flags |= AD_MASK;
        h.qdcount = 1;
        if (as->as_ctx->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC))
                h.arcount = 1;
Index: usr.bin/ssh/dns.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/dns.c,v
retrieving revision 1.41
diff -u -p -r1.41 dns.c
--- usr.bin/ssh/dns.c   19 Jul 2021 03:13:28 -0000      1.41
+++ usr.bin/ssh/dns.c   18 Nov 2021 07:12:08 -0000
@@ -29,6 +29,7 @@
 #include <sys/socket.h>
 
 #include <netdb.h>
+#include <resolv.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <string.h>
@@ -195,7 +196,7 @@ verify_host_key_dns(const char *hostname
     struct sshkey *hostkey, int *flags)
 {
        u_int counter;
-       int result;
+       int result, old_options;
        struct rrsetinfo *fingerprints = NULL;
 
        u_int8_t hostkey_algorithm;
@@ -218,8 +219,12 @@ verify_host_key_dns(const char *hostname
                return -1;
        }
 
+       old_options = _res.options;
+       _res.options |= RES_USE_AD;
        result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
            DNS_RDATATYPE_SSHFP, 0, &fingerprints);
+       _res.options = old_options;
+
        if (result) {
                verbose("DNS lookup error: %s", dns_result_totext(result));
                return -1;