Hi, earlier this year, jca@ worked on support for DNSSEC and the EDNS0 extension [1] and committed this work at [2] (thanks!). I tried this with SSHFP records to check authenticity of hosts with DNSSEC; but ssh reported that the hostkey fingerprints were insecure.
I am using this configuration file: # cat /etc/resolv.conf nameserver 8.8.8.8 options edns0 And ssh reports the following: $ ssh -o VerifyHostKeyDNS=yes -vvvv doamin_with_sshpf_dnssec ... debug3: verify_host_key_dns debug1: found 8 insecure fingerprints in DNS debug1: matching host key fingerprint found in DNS The authenticity of host 'xxxxxxxxxxx (xxxxxxxxxxxx)' can't be established. ECDSA key fingerprint is .... Matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)? ... I tried to find out why and after going through the asr code, I found the following: Index: lib/libc/asr/res_send_async.c =================================================================== RCS file: /cvs/src/lib/libc/asr/res_send_async.c,v retrieving revision 1.36 diff -u -p -r1.36 res_send_async.c --- lib/libc/asr/res_send_async.c 15 Mar 2017 15:54:41 -0000 1.36 +++ lib/libc/asr/res_send_async.c 11 Jul 2017 20:09:59 -0000 @@ -385,7 +385,7 @@ setup_query(struct asr_query *as, const _asr_pack_query(&p, type, class, dname); if (as->as_ctx->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC)) _asr_pack_edns0(&p, MAXPACKETSZ, - as->as_ctx->ac_options & RES_USE_DNSSEC); + as->as_ctx->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC)); if (p.err) { DPRINT("error packing query"); errno = EINVAL; I guess that the RES_USE_EDNS0 was missing for the function _asr_pack_edns0 (as far as I have seen - this parameter is called dnssec_do and de-/activates DO bit); the if statement above is using it also. Without that patch, the DO bit was always zero in my cases. So, with that patch in place, I get: $ ssh -o VerifyHostKeyDNS=yes -vvvv doamin_with_sshpf_dnssec ... debug3: verify_host_key_dns debug1: found 8 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS ... Can anyone have a look at this? [1] http://marc.info/?l=openbsd-tech&m=148804202203829&w=2 [2] http://marc.info/?l=openbsd-cvs&m=148819549802327&w=2 Kind regards, Christian Barthel