OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
DNSSEC/SSHFP, getrrsetbyname(3), and resolv.conf(5)

From: jared r r spiegel (jrrsice-nine.org)
Date: Thu Nov 03 2005 - 18:04:43 CST


  holy hell this OS f'ckin rocks.

  so i waste a day and a half because i forgot to
  do a 'dnssec-enable yes;' in named.conf, totally my fault.

  after i turn that on and setup named and my keys/zones
  right ( or unbreak them, after the day and a half of barking
  up the wrong tree... ), i find i have DNSSEC working for my SSHFP
  records, as tested by dig ( i have 'ad' in the reply, and i get
  RRSIG records printed in my Answer Sections ).

  ssh, otoh, is still saying to me "found <NUM> insecure fingerprints in DNS".

  i spend more time on it and read [1], and get to thinking, ok,
  how the hell does ssh know if my resolver verified the SSHFP/RRSIG/DNSSEC
  crap or not? i thought it has to be in the data given back to
  ssh by the resolver.

  so i peek in /usr/src/usr.sbin/dns.c, and find the verify_host_key_dns
  function (?) and see it does some error checking and then it
  runs 'getrrsetbyname'

  so, what the hell i say, 'man getrrsetbyname'.

  oh. look. there's a manpage.

  so in getrsetbyname(3) i find:

---
     If the EDNS0 option is activated in resolv.conf(5), getrrsetbyname() will
     request DNSSEC authentication using the EDNS0 DNSSEC OK (DO) bit.
---

  ok, so i check resolv.conf(5) and find:

---
     options Allows certain internal resolver variables to be modified.
                 The syntax is:

                 options option ...

                 where option is one of the following:

                 debug Sets RES_DEBUG in _res.options.

                 edns0 attach OPT pseudo-RR for ENDS0 extension specified
                            in RFC 2671, to inform DNS server of our receive
                            buffer size. The option will allow DNS servers to
                            take advantage of non-default receive buffer size,
                            and to send larger replies. DNS query packets
                            with EDNS0 extension are not compatible with non-
                            EDNS0 DNS servers. The option must be used only
                            when all the DNS servers listed in nameserver
                            lines are able to handle EDNS0 extension.
<...>
     The options keyword of a system's resolv.conf or resolv.conf.tail file
     can be amended on a per-process basis by setting the environment variable
     RES_OPTIONS to a space-separated list of resolver options as explained
     above.
---

  so i 'export RES_OPTIONS=edns0'
  
  and then:

---
$ ssh -vo verifyhostkeydns\ yes hk4801.hklocal.nodeless.net
OpenSSH_4.2, OpenSSL 0.9.7g 11 Apr 2005
<...>
debug1: found 1 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
---

   !

   thank you Jakob Schlyter

[1] - http://www.ietf.org/internet-drafts/draft-ietf-secsh-dns-05.txt

( i checked ftp://ftp.win.tue.nl/pub/linux-local/manpages/man-pages-2.13.tar.gz
  and it doesn't seem to have getrrsetbyname(3), though perhaps it goes
  by a different name over there.. ? )

--

  jared

[ openbsd 3.8 GENERIC ( oct 15 ) // i386 ]