bugzilla-daemon at bugzilla.mindrot.org
2009-Jul-27 16:14 UTC
[Bug 1625] New: [PATCH] Make configuration of key verification from DNS easier
https://bugzilla.mindrot.org/show_bug.cgi?id=1625
Summary: [PATCH] Make configuration of key verification from
DNS easier
Product: Portable OpenSSH
Version: 5.2p1
Platform: Other
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ssh
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: vonsch at gmail.com
Created an attachment (id=1665)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1665)
proposed patch
Configuration of key verification from DNS currently requires "options
edns0" in /etc/resolv.conf.
Such requirement has two drawbacks:
- every DNS request is the EDNS0 packet thus more bandwidth is consumed
- "options edns0" in resolv.conf is really not intuitive
Proposed patch makes verification working even if "options edns0" is
not set.
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=205842
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-26 01:01 UTC
[Bug 1625] [PATCH] Make configuration of key verification from DNS easier
https://bugzilla.mindrot.org/show_bug.cgi?id=1625
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> 2010-03-26 12:01:11
EST ---
I think it is a bit risky to enable EDNS0 when it has not been
administratively configured as the resolver may not be trustworthy.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-05 01:17 UTC
[Bug 1625] Force EDNS0 requests on
https://bugzilla.mindrot.org/show_bug.cgi?id=1625
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|[PATCH] Make configuration |Force EDNS0 requests on
|of key verification from |
|DNS easier |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-05 01:20 UTC
[Bug 1625] Force EDNS0 requests on
https://bugzilla.mindrot.org/show_bug.cgi?id=1625 --- Comment #2 from Damien Miller <djm at mindrot.org> --- I'm not sure about this - it may in fact be harmful. If traffic between a non--DNSSEC-verifying stub resolver and its recursive verifying resolver is subject to attack (e.g. it is on a shared network), then automatically enabling DNSSEC may make it possible for an attacker to force acceptance of certain host keys. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.