Bug 1625 - Force EDNS0 requests on
Summary: Force EDNS0 requests on
Status: CLOSED WONTFIX
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 5.2p1
Hardware: Other Linux
: P2 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-28 02:14 AEST by Adam Tkac
Modified: 2015-08-11 23:04 AEST (History)
1 user (show)

See Also:

Attachments
proposed patch (2.46 KB, patch)
2009-07-28 02:14 AEST, Adam Tkac 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Tkac 2009-07-28 02:14:51 AEST 
Created attachment 1665 [details]
proposed patch

Configuration of key verification from DNS currently requires "options edns0" in /etc/resolv.conf.

Such requirement has two drawbacks:
- every DNS request is the EDNS0 packet thus more bandwidth is consumed
- "options edns0" in resolv.conf is really not intuitive

Proposed patch makes verification working even if "options edns0" is not set.

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=205842
Comment 1 Damien Miller 2010-03-26 12:01:11 AEDT 
I think it is a bit risky to enable EDNS0 when it has not been administratively configured as the resolver may not be trustworthy.
Comment 2 Damien Miller 2010-07-05 11:20:24 AEST 
I'm not sure about this - it may in fact be harmful. If traffic between a non--DNSSEC-verifying stub resolver and its recursive verifying resolver is subject to attack (e.g. it is on a shared network), then automatically enabling DNSSEC may make it possible for an attacker to force acceptance of certain host keys.
Comment 3 Damien Miller 2015-04-17 14:58:04 AEST 
Won't implement this for the reasons described.
Comment 4 Damien Miller 2015-08-11 23:04:23 AEST 
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1