Bug 1608 - Reverse DNS support for VerifyHostKeyDNS configuration option
Summary: Reverse DNS support for VerifyHostKeyDNS configuration option
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: -current
Hardware: All All
: P2 enhancement
Assignee: Assigned to nobody
URL: http://www.openbsd.org/cgi-bin/cvsweb...
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-12 22:47 AEST by Wolfgang Nagele
Modified: 2014-03-27 02:00 AEDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Nagele 2009-06-12 22:47:19 AEST 
When enabling the configuration option VerifyHostKeyDNS the code is skipping SSHFP lookups for reverse DNS. The area in the code can be found between line 194-197 in dns.c[1] (Version 1.25).

I would like to point out that it is perfectly plausible to have SSHFP records in any reverse DNS zone and i would appreciate them being used inside of the OpenSSH code. This would enable people using this feature when connecting directly via IP addresses.

[1] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/dns.c?annotate=1.25
Comment 1 Sander Steffann 2012-10-09 07:45:54 AEDT 
+1 on implementing this enhancement. With the current implementation the SSHFP record lookup depends on which hostname is used when connecting to a host (in cases where a host has multiple hostnames/aliases). Looking in the reverse DNS tree for SSHFP records after resolving the hostname to an IP address would make all possible ways of connecting use the SSHFP records.