Bug 1608

Summary: Reverse DNS support for VerifyHostKeyDNS configuration option
Product: Portable OpenSSH Reporter: Wolfgang Nagele <wnagele>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: NEW ---    
Severity: enhancement CC: sander, simon
Priority: P2    
Version: -current   
Hardware: All   
OS: All   
URL: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/dns.c?annotate=1.25

Description Wolfgang Nagele 2009-06-12 22:47:19 AEST 
When enabling the configuration option VerifyHostKeyDNS the code is skipping SSHFP lookups for reverse DNS. The area in the code can be found between line 194-197 in dns.c[1] (Version 1.25).

I would like to point out that it is perfectly plausible to have SSHFP records in any reverse DNS zone and i would appreciate them being used inside of the OpenSSH code. This would enable people using this feature when connecting directly via IP addresses.

[1] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/dns.c?annotate=1.25
Comment 1 Sander Steffann 2012-10-09 07:45:54 AEDT 
+1 on implementing this enhancement. With the current implementation the SSHFP record lookup depends on which hostname is used when connecting to a host (in cases where a host has multiple hostnames/aliases). Looking in the reverse DNS tree for SSHFP records after resolving the hostname to an IP address would make all possible ways of connecting use the SSHFP records.