On Wed, Jul 12, 2017 at 07:45:36AM +0200, Christian Barthel wrote:
> Hi,
>
> earlier this year, jca@ worked on support for DNSSEC and the EDNS0
> extension [1] and committed this work at [2] (thanks!). I tried this
> with SSHFP records to check authenticity of hosts with DNSSEC; but ssh
> reported that the hostkey fingerprints were insecure.
>
> I am using this configuration file:
>
> # cat /etc/resolv.conf
> nameserver 8.8.8.8
> options edns0
>
> And ssh reports the following:
>
> $ ssh -o VerifyHostKeyDNS=yes -vvvv doamin_with_sshpf_dnssec
> ...
> debug3: verify_host_key_dns
> debug1: found 8 insecure fingerprints in DNS
> debug1: matching host key fingerprint found in DNS
> The authenticity of host 'xxxxxxxxxxx (xxxxxxxxxxxx)' can't be established.
> ECDSA key fingerprint is ....
> Matching host key fingerprint found in DNS.
> Are you sure you want to continue connecting (yes/no)?
> ...
>
> I tried to find out why and after going through the asr code, I found
> the following:
>
> Index: lib/libc/asr/res_send_async.c
> ===================================================================
> RCS file: /cvs/src/lib/libc/asr/res_send_async.c,v
> retrieving revision 1.36
> diff -u -p -r1.36 res_send_async.c
> --- lib/libc/asr/res_send_async.c 15 Mar 2017 15:54:41 -0000 1.36
> +++ lib/libc/asr/res_send_async.c 11 Jul 2017 20:09:59 -0000
> @@ -385,7 +385,7 @@ setup_query(struct asr_query *as, const
> _asr_pack_query(&p, type, class, dname);
> if (as->as_ctx->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC))
> _asr_pack_edns0(&p, MAXPACKETSZ,
> - as->as_ctx->ac_options & RES_USE_DNSSEC);
> + as->as_ctx->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC));
> if (p.err) {
> DPRINT("error packing query");
> errno = EINVAL;
The current code is correct, RES_USE_EDNS0 does not imply RES_USE_DNSSEC.
The real problem is that there is no resolv.conf option for RES_USE_DNSSEC.
It can only be set in user code by tweaking _res.options.
Eric.
