Bug 1320

Summary: Add support for ldns
Product: Portable OpenSSH Reporter: Simon Vallet <svallet>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: cjwatson, djm, dtucker
Priority: P2    
Version: -current   
Hardware: Other   
OS: Linux   
Bug Depends on:    
Bug Blocks: 1930    
Attachments:
Description Flags
Patch against CVS
none
Updated ldns patch
none
Updated ldns patch djm: ok+

Description Simon Vallet 2007-06-11 23:54:47 AEST 
Created attachment 1301 [details]
Patch against CVS

trying to make use of SSHFP records (RFC 4255) to publish host key fingerprints in the DNS, we're stumbling on some issues.

It appears some non-OpenBSD platforms don't support DNSSEC in the native
resolver (e.g. glibc), which renders such a setup quite useless,
since openssh correctly requires the RRs to be signed and validated.

The following patch adds support for ldns, an external resolver
library, with the following functionality:
- Set DO on the SSHFP query
- Support AD if the answer comes from a validating resolver 
- Support autonomous validation using a configured trust anchor in case
the answer is not marked as authentic.

It depends on the SVN version of ldns (revision 2345), which is available 
there: http://www.nlnetlabs.nl/ldns/

The patch is against current CVS (and needs a minor adjustment to config.h.in, which does not seem to be under version control)

Simon
Comment 1 Darren Tucker 2007-06-12 00:01:46 AEST 
(In reply to comment #0)
> The patch is against current CVS (and needs a minor adjustment to
> config.h.in, which does not seem to be under version control)

config.h.in is created by autoconf, so if you need changes then it's autoconf that needs to be changed.

What exactly needs to be adjusted?
Comment 2 Simon Vallet 2007-06-12 00:17:03 AEST 
(In reply to comment #1)
> (In reply to comment #0)
> > The patch is against current CVS (and needs a minor adjustment to
> > config.h.in, which does not seem to be under version control)
> 
> config.h.in is created by autoconf, so if you need changes then it's
> autoconf that needs to be changed.
> 
> What exactly needs to be adjusted?

weirdly I had to manually add the '#undef HAVE_LDNS' to config.h.in. I thought it was automatically added by this macro:

AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])

but it seems it was not -- maybe my autoconf's broken in some way.
Comment 3 Darren Tucker 2007-06-12 00:23:49 AEST 
(In reply to comment #2)
> weirdly I had to manually add the '#undef HAVE_LDNS' to config.h.in. I
> thought it was automatically added by this macro:
> 
> AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
> 
> but it seems it was not -- maybe my autoconf's broken in some way.

Actually it's the autoheader too which isn't run by autoconf by default.  Try running "autoreconf" instead of autoconf, or run "autoheader" as well.
Comment 4 Simon Vallet 2007-06-12 01:10:14 AEST 
(In reply to comment #3)
> (In reply to comment #2)
> > weirdly I had to manually add the '#undef HAVE_LDNS' to config.h.in. I
> > thought it was automatically added by this macro:
> > 
> > AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
> > 
> > but it seems it was not -- maybe my autoconf's broken in some way.
> 
> Actually it's the autoheader too which isn't run by autoconf by
> default.  Try running "autoreconf" instead of autoconf, or run
> "autoheader" as well.

You're right -- I missed the autoheader part: running autoreconf correctly includes the line in config.h.in
Comment 5 Darren Tucker 2009-12-21 13:49:36 AEDT 
Created attachment 1761 [details]
Updated ldns patch

Replaced strndup (a GNUism) with malloc/memcpy.  Fixed a few style nits, whitespace and such.
Comment 6 Darren Tucker 2010-01-13 11:21:19 AEDT 
If someone who uses ldns could confirm that the updated patch functions correctly then I'd like to put this in for the next release.

Thanks.
Comment 7 Colin Watson 2010-03-01 21:25:09 AEDT 
It was recently brought to my attention (http://bugs.debian.org/572049) that Fedora is shipping a patch purporting to enable DNSSEC with glibc:

  https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup

Perhaps this is an alternative to depending on another library?
Comment 8 Darren Tucker 2010-03-07 14:45:50 AEDT 
(In reply to comment #7)
> Perhaps this is an alternative to depending on another library?

I have no objection to enabling the support when glibc has it, but glibc is only viable on a subset of the platforms supported by openssh.
Comment 9 Darren Tucker 2010-08-03 15:13:15 AEST 
No test reports, punting to next release.
Comment 10 Damien Miller 2011-01-24 12:30:55 AEDT 
Retarget unclosed bugs from 5.7=>5.8
Comment 11 Damien Miller 2011-09-06 10:34:25 AEST 
Retarget unresolved bugs/features to 6.0 release
Comment 12 Damien Miller 2011-09-06 10:36:36 AEST 
Retarget unresolved bugs/features to 6.0 release
Comment 13 Damien Miller 2011-09-06 10:39:12 AEST 
Retarget unresolved bugs/features to 6.0 release

(try again - bugzilla's "change several" isn't)
Comment 14 Darren Tucker 2011-09-23 13:44:03 AEST 
Created attachment 2095 [details]
Updated ldns patch

Some changes at djm's request:
 - renamed bsd-getrrsetbyname.c to getrrsetbyname-ldns.c since it is ldns specific.
 - used xmalloc and friends for extra checking (using #define so any future code syncs will be easier).
Comment 15 Darren Tucker 2011-11-04 11:25:55 AEDT 
patch commited, it will be in the openssh 6.0p1 release.  Thanks!
Comment 16 Damien Miller 2016-08-02 10:42:11 AEST 
Close all resolved bugs after 7.3p1 release