SSHFP with EDNS0/DNSSEC

Tue, 11 Jul 2017 22:46:09 -0700 

Hi, 

earlier this year, jca@ worked on support for DNSSEC and the EDNS0
extension [1] and committed this work at [2] (thanks!).  I tried this
with SSHFP records to check authenticity of hosts with DNSSEC; but ssh
reported that the hostkey fingerprints were insecure.   

I am using this configuration file: 

# cat /etc/resolv.conf
nameserver 8.8.8.8
options edns0

And ssh reports the following: 

$ ssh -o VerifyHostKeyDNS=yes -vvvv doamin_with_sshpf_dnssec
  ...
debug3: verify_host_key_dns
debug1: found 8 insecure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
The authenticity of host 'xxxxxxxxxxx (xxxxxxxxxxxx)' can't be established.
ECDSA key fingerprint is ....
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)? 
  ...

I tried to find out why and after going through the asr code, I found
the following: 

Index: lib/libc/asr/res_send_async.c
===================================================================
RCS file: /cvs/src/lib/libc/asr/res_send_async.c,v
retrieving revision 1.36
diff -u -p -r1.36 res_send_async.c
--- lib/libc/asr/res_send_async.c       15 Mar 2017 15:54:41 -0000      1.36
+++ lib/libc/asr/res_send_async.c       11 Jul 2017 20:09:59 -0000
@@ -385,7 +385,7 @@ setup_query(struct asr_query *as, const 
        _asr_pack_query(&p, type, class, dname);
        if (as->as_ctx->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC))
                _asr_pack_edns0(&p, MAXPACKETSZ,
-                   as->as_ctx->ac_options & RES_USE_DNSSEC);
+                   as->as_ctx->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC));
        if (p.err) {
                DPRINT("error packing query");
                errno = EINVAL;

I guess that the RES_USE_EDNS0 was missing for the function
_asr_pack_edns0 (as far as I have seen - this parameter is called
dnssec_do and de-/activates DO bit); the if statement above is using it
also.  Without that patch, the DO bit was always zero in my cases.  So,
with that patch in place, I get:

$ ssh -o VerifyHostKeyDNS=yes -vvvv doamin_with_sshpf_dnssec
 ...
debug3: verify_host_key_dns                               
debug1: found 8 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
 ...

Can anyone have a look at this? 

[1] http://marc.info/?l=openbsd-tech&m=148804202203829&w=2
[2] http://marc.info/?l=openbsd-cvs&m=148819549802327&w=2

Kind regards, 
Christian Barthel

Reply via email to