On Wed, 9 May 2012 16:41:32 +1000 Darren wrote: DT> On Wed, May 09, 2012 at 04:20:33AM +0000, Luca Filipozzi wrote: DT> [...] DT> > We propose that openssh be modified as follows: DT> > DT> > (1) introduce a new ssh_config directive: UnboundConfigurationFile DT> > DT> > (2) modify getrrsetbyname() such that, if UnboundConfigurationFile is DT> > set, then the unbound resolver is used; if not, then libc DT> > DT> > (3) provide a default unbound configuration DT> > in /etc/ssh/ssh_unbound_conf DT> DT> OK, here's my opinion: DT> - I am OK with adding support for libunbound (we already have DT> compile-time support for an alternate resolver, ldns), however
There is also a patch that I submitted back in 2009 to use libval from
DNSSEC-Tools to do local validation. Any chance of getting that accepted?
The last time I updated it was for 5.8, but I'd be glad to update it for
6.0 if there's a chance it will be accepted.
https://bugzilla.mindrot.org/show_bug.cgi?id=1672
We also added a new option, AutoAnswerValidatedKeys, to (optionally)
automatically accept new keys which match a DNSSEC validated sshfp record.
And we always do the validation in the library, and do not ever trust the
AD bit from remote resolvers.
Robert
--
Senior Software Engineer
SPARTA, Inc., a Parsons Company
signature.asc
Description: PGP signature
