https://bugzilla.mindrot.org/show_bug.cgi?id=1672
[email protected] changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jarrod.b.johnson+...@gmail. | |com --- Comment #2 from [email protected] 2010-10-21 02:11:27 EST --- I would like to see this baked into OpenSSH as well. As it stands, the DNSSEC support for SSHFP has two critical gaps as far as I can tell: -No protection for DNS hijacking between client and closest DNS server (e.g. most home users point at an ISP DNS server, so anyone with access to the ISP network can trick DNSSEC validated SSHFP records even without compromising the security of DNSSEC) -The inability to cleanly deal with the case where local nameserver is authoritative. The AD bit won't be set if AA is set. If I'm using a local DNS server as a repository for SSHFP records, I cannot use this infrastructure to help scripted execution of ssh as it stands since it will receive authoritative, but not validated data. Commonly, a resolver on localhost can close the gap for most cases, but the problem of executing ssh from the DNS server itself is problematic. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
