bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-11  13:54 UTC
[Bug 1320] New: Add support for ldns
http://bugzilla.mindrot.org/show_bug.cgi?id=1320
           Summary: Add support for ldns
           Product: Portable OpenSSH
           Version: -current
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: ssh
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: svallet at genoscope.cns.fr
Created an attachment (id=1301)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1301)
Patch against CVS
trying to make use of SSHFP records (RFC 4255) to publish host key
fingerprints in the DNS, we're stumbling on some issues.
It appears some non-OpenBSD platforms don't support DNSSEC in the
native
resolver (e.g. glibc), which renders such a setup quite useless,
since openssh correctly requires the RRs to be signed and validated.
The following patch adds support for ldns, an external resolver
library, with the following functionality:
- Set DO on the SSHFP query
- Support AD if the answer comes from a validating resolver 
- Support autonomous validation using a configured trust anchor in case
the answer is not marked as authentic.
It depends on the SVN version of ldns (revision 2345), which is
available 
there: http://www.nlnetlabs.nl/ldns/
The patch is against current CVS (and needs a minor adjustment to
config.h.in, which does not seem to be under version control)
Simon
-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-11  14:01 UTC
[Bug 1320] Add support for ldns
http://bugzilla.mindrot.org/show_bug.cgi?id=1320
Darren Tucker <dtucker at zip.com.au> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au
--- Comment #1 from Darren Tucker <dtucker at zip.com.au>  2007-06-12
00:01:46 ---
(In reply to comment #0)> The patch is against current CVS (and needs a minor adjustment to
> config.h.in, which does not seem to be under version control)
config.h.in is created by autoconf, so if you need changes then it's
autoconf that needs to be changed.
What exactly needs to be adjusted?
-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-11  14:17 UTC
[Bug 1320] Add support for ldns
http://bugzilla.mindrot.org/show_bug.cgi?id=1320 --- Comment #2 from Simon Vallet <svallet at genoscope.cns.fr> 2007-06-12 00:17:03 --- (In reply to comment #1)> (In reply to comment #0) > > The patch is against current CVS (and needs a minor adjustment to > > config.h.in, which does not seem to be under version control) > > config.h.in is created by autoconf, so if you need changes then it's > autoconf that needs to be changed. > > What exactly needs to be adjusted?weirdly I had to manually add the '#undef HAVE_LDNS' to config.h.in. I thought it was automatically added by this macro: AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support]) but it seems it was not -- maybe my autoconf's broken in some way. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-11  14:23 UTC
[Bug 1320] Add support for ldns
http://bugzilla.mindrot.org/show_bug.cgi?id=1320 --- Comment #3 from Darren Tucker <dtucker at zip.com.au> 2007-06-12 00:23:49 --- (In reply to comment #2)> weirdly I had to manually add the '#undef HAVE_LDNS' to config.h.in. I > thought it was automatically added by this macro: > > AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support]) > > but it seems it was not -- maybe my autoconf's broken in some way.Actually it's the autoheader too which isn't run by autoconf by default. Try running "autoreconf" instead of autoconf, or run "autoheader" as well. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-11  15:10 UTC
[Bug 1320] Add support for ldns
http://bugzilla.mindrot.org/show_bug.cgi?id=1320 --- Comment #4 from Simon Vallet <svallet at genoscope.cns.fr> 2007-06-12 01:10:14 --- (In reply to comment #3)> (In reply to comment #2) > > weirdly I had to manually add the '#undef HAVE_LDNS' to config.h.in. I > > thought it was automatically added by this macro: > > > > AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support]) > > > > but it seems it was not -- maybe my autoconf's broken in some way. > > Actually it's the autoheader too which isn't run by autoconf by > default. Try running "autoreconf" instead of autoconf, or run > "autoheader" as well.You're right -- I missed the autoheader part: running autoreconf correctly includes the line in config.h.in -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Aug-18  00:38 UTC
[Bug 1320] Add support for ldns
https://bugzilla.mindrot.org/show_bug.cgi?id=1320
Damien Miller <djm at mindrot.org> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Blocks|                            |1626
-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Dec-21  02:49 UTC
[Bug 1320] Add support for ldns
https://bugzilla.mindrot.org/show_bug.cgi?id=1320
Darren Tucker <dtucker at zip.com.au> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1301|0                           |1
        is obsolete|                            |
--- Comment #5 from Darren Tucker <dtucker at zip.com.au> 2009-12-21
13:49:36 EST ---
Created an attachment (id=1761)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1761)
Updated ldns patch
Replaced strndup (a GNUism) with malloc/memcpy.  Fixed a few style
nits, whitespace and such.
-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jan-13  00:21 UTC
[Bug 1320] Add support for ldns
https://bugzilla.mindrot.org/show_bug.cgi?id=1320 --- Comment #6 from Darren Tucker <dtucker at zip.com.au> 2010-01-13 11:21:19 EST --- If someone who uses ldns could confirm that the updated patch functions correctly then I'd like to put this in for the next release. Thanks. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jan-29  00:13 UTC
[Bug 1320] Add support for ldns
https://bugzilla.mindrot.org/show_bug.cgi?id=1320
Damien Miller <djm at mindrot.org> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|1626                        |
-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jan-29  00:13 UTC
[Bug 1320] Add support for ldns
https://bugzilla.mindrot.org/show_bug.cgi?id=1320
Damien Miller <djm at mindrot.org> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1708
-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-01  10:25 UTC
[Bug 1320] Add support for ldns
https://bugzilla.mindrot.org/show_bug.cgi?id=1320
Colin Watson <cjwatson at debian.org> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |cjwatson at debian.org
--- Comment #7 from Colin Watson <cjwatson at debian.org> 2010-03-01
21:25:09 EST ---
It was recently brought to my attention (http://bugs.debian.org/572049)
that Fedora is shipping a patch purporting to enable DNSSEC with glibc:
 
https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
Perhaps this is an alternative to depending on another library?
-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-07  03:45 UTC
[Bug 1320] Add support for ldns
https://bugzilla.mindrot.org/show_bug.cgi?id=1320 --- Comment #8 from Darren Tucker <dtucker at zip.com.au> 2010-03-07 14:45:50 EST --- (In reply to comment #7)> Perhaps this is an alternative to depending on another library?I have no objection to enabling the support when glibc has it, but glibc is only viable on a subset of the platforms supported by openssh. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Aug-03  05:13 UTC
[Bug 1320] Add support for ldns
https://bugzilla.mindrot.org/show_bug.cgi?id=1320
Darren Tucker <dtucker at zip.com.au> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|1708                        |1803
--- Comment #9 from Darren Tucker <dtucker at zip.com.au>  ---
No test reports, punting to next release.
-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Jan-24  01:30 UTC
[Bug 1320] Add support for ldns
https://bugzilla.mindrot.org/show_bug.cgi?id=1320
Damien Miller <djm at mindrot.org> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|1803                        |
--- Comment #10 from Damien Miller <djm at mindrot.org> 2011-01-24
12:30:55 EST ---
Retarget unclosed bugs from 5.7=>5.8
-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Jan-24  01:31 UTC
[Bug 1320] Add support for ldns
https://bugzilla.mindrot.org/show_bug.cgi?id=1320
Damien Miller <djm at mindrot.org> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1845
-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-06  00:34 UTC
[Bug 1320] Add support for ldns
https://bugzilla.mindrot.org/show_bug.cgi?id=1320
Damien Miller <djm at mindrot.org> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1930
--- Comment #11 from Damien Miller <djm at mindrot.org> 2011-09-06
10:34:25 EST ---
Retarget unresolved bugs/features to 6.0 release
-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-06  00:36 UTC
[Bug 1320] Add support for ldns
https://bugzilla.mindrot.org/show_bug.cgi?id=1320 --- Comment #12 from Damien Miller <djm at mindrot.org> 2011-09-06 10:36:36 EST --- Retarget unresolved bugs/features to 6.0 release -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-06  00:39 UTC
[Bug 1320] Add support for ldns
https://bugzilla.mindrot.org/show_bug.cgi?id=1320
Damien Miller <djm at mindrot.org> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|1845                        |
--- Comment #13 from Damien Miller <djm at mindrot.org> 2011-09-06
10:39:12 EST ---
Retarget unresolved bugs/features to 6.0 release
(try again - bugzilla's "change several" isn't)
-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-23  03:44 UTC
[Bug 1320] Add support for ldns
https://bugzilla.mindrot.org/show_bug.cgi?id=1320
Darren Tucker <dtucker at zip.com.au> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1761|0                           |1
        is obsolete|                            |
   Attachment #2095|                            |ok?(djm at mindrot.org)
              Flags|                            |
--- Comment #14 from Darren Tucker <dtucker at zip.com.au> 2011-09-23
13:44:03 EST ---
Created attachment 2095
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2095
Updated ldns patch
Some changes at djm's request:
 - renamed bsd-getrrsetbyname.c to getrrsetbyname-ldns.c since it is
ldns specific.
 - used xmalloc and friends for extra checking (using #define so any
future code syncs will be easier).
-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-24  03:54 UTC
[Bug 1320] Add support for ldns
https://bugzilla.mindrot.org/show_bug.cgi?id=1320
Damien Miller <djm at mindrot.org> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2095|ok?(djm at mindrot.org)        |ok+
              Flags|                            |
-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Nov-04  00:25 UTC
[Bug 1320] Add support for ldns
https://bugzilla.mindrot.org/show_bug.cgi?id=1320
Darren Tucker <dtucker at zip.com.au> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED
--- Comment #15 from Darren Tucker <dtucker at zip.com.au> 2011-11-04
11:25:55 EST ---
patch commited, it will be in the openssh 6.0p1 release.  Thanks!
-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Maybe Matching Threads
- [PATCH] Add support for ldns
- [Bug 2603] New: Build with ldns and without kerberos support fails if ldns compiled with kerberos support
- [Bug 2022] New: ssh segfaults when using ldns, SSHFP, a DNSSEC-enabled resolver and a CNAME
- [Bug 2702] New: ssh compiled with --with-ldns segfaults during known_hosts parsing
- sshfp/ldns still having issues in 7.6