>>>>> On Mon, 27 Apr 2009 09:44:47 +0200, Stephane Bortzmeyer >>>>> <[email protected]> said:
SB> At least OpenSSH appears to not do that systematically, probably SB> because there is no secure name resolution API, no standard way to SB> check the AD bit from an application (and the app will still not know SB> if the validating resolver was "secure", or if it was using random SB> trust anchors without checking). You can the patch for OpenSSH available from http://www.dnssec-tools.org/ which does in-application validation and ssh fingerprint accepting. I demonstrated it's use like at a recent NANOG, in fact. The patch makes use of an in-application validation library that does let the application know if the fingerprint lookup was secure or not. -- "In the bathtub of history the truth is harder to hold than the soap, and much more difficult to find." -- Terry Pratchett _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
