Bug 1299

Summary: Remove redefinition of _res in getrrsetbyname.c
Product: Portable OpenSSH Reporter: Curt Sampson <cjs>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: major Keywords: patch
Priority: P2    
Version: 4.5p1   
Hardware: All   
OS: NetBSD   
Bug Depends on:    
Bug Blocks: 1289, 1305    
Attachments:
Description Flags
Check for global _res in configure. none

Description Curt Sampson 2007-03-16 15:54:15 AEDT 
Ssh won't use SSHFP fingerprints available via DNSSEC, because it doesn't turn on DNSSEC to request them.

Around line 70 in openbsd-compat/getrrsetbyname.c, we have the following:

    /* to avoid conflicts where a platform already has _res */
    #ifdef _res
    # undef _res
    #endif
    #define _res    _compat_res

    struct __res_state _res;

This defines a global, _compat_res, used only by OpenSSH (at least on NetBSD), and makes _res be that instead of the "real" _res (however that
might be defined on various platforms).

_res is used only in the getrrsetbyname function, which never initializes it in any way, but tries to act as if it's using the real
_res. So it calls init_res every time:

        if ((_resp->options & RES_INIT) == 0 && res_init() == -1) {

and it never turns on DNSSEC, even when RES_USE_EDNS0 is set, since it's
checking for it in the wrong place:

        if (_resp->options & RES_USE_EDNS0)
            _resp->options |= RES_USE_DNSSEC;

The fix is to remove the code that redefines _res, or at least #ifdef it for only those platforms that need this for some reason.
Comment 1 Darren Tucker 2007-04-10 09:45:27 AEST 
This was also mentioned on the mailing list, however it has not been confirmed whether or not the patch resolves the problem on NetBSD.

http://marc.info/?l=openssh-unix-dev&m=117390608117235
Comment 2 Darren Tucker 2007-04-10 09:47:43 AEST 
Created attachment 1258 [details]
Check for global _res in configure.

Note that you will need to run "autoreconf" to rebuild configure before configuring and building.
Comment 3 Darren Tucker 2007-04-29 14:06:20 AEST 
The patch has been applied to both -HEAD and the 4.6 stable branch so it will be in the next release.

Could you please test a snapshot from  ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ (20070430 or later) and confirm that the problem is indeed resolved for you?

Thanks.
Comment 4 Damien Miller 2008-04-04 09:58:50 AEDT 
Close resolved bugs after release.