Bug 1625

Summary: Force EDNS0 requests on
Product: Portable OpenSSH Reporter: Adam Tkac <vonsch>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: normal CC: djm
Priority: P2    
Version: 5.2p1   
Hardware: Other   
OS: Linux   
Attachments:
Description Flags
proposed patch none

Description Adam Tkac 2009-07-28 02:14:51 AEST 
Created attachment 1665 [details]
proposed patch

Configuration of key verification from DNS currently requires "options edns0" in /etc/resolv.conf.

Such requirement has two drawbacks:
- every DNS request is the EDNS0 packet thus more bandwidth is consumed
- "options edns0" in resolv.conf is really not intuitive

Proposed patch makes verification working even if "options edns0" is not set.

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=205842
Comment 1 Damien Miller 2010-03-26 12:01:11 AEDT 
I think it is a bit risky to enable EDNS0 when it has not been administratively configured as the resolver may not be trustworthy.
Comment 2 Damien Miller 2010-07-05 11:20:24 AEST 
I'm not sure about this - it may in fact be harmful. If traffic between a non--DNSSEC-verifying stub resolver and its recursive verifying resolver is subject to attack (e.g. it is on a shared network), then automatically enabling DNSSEC may make it possible for an attacker to force acceptance of certain host keys.
Comment 3 Damien Miller 2015-04-17 14:58:04 AEST 
Won't implement this for the reasons described.
Comment 4 Damien Miller 2015-08-11 23:04:23 AEST 
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1