openssh unix dev - Dec 2022 - SSHFP DNS - OS / stub resolvers that deliver "secured" answers ?

Hello,

I just set up SSHFP for a handful of boxes that I run.  In reading through the
docs and experimenting - I think I have a good grasp of the expected behavior
and options (no/ask/yes).

However one thing that I?m still trying to wrap my head around is the mechanism
under the hood to mark fingerprints as ?secure?.  My domain for this is fully
DNSSEC / validates.  My home network resolver has DNSSEC validation enabled as
well.  All good on the DNSSEC zone/server/resolver front.

It seems like to get a ?secure fingerprint? response, the only combination I saw
working is a Linux client running systemd-resolved with DNSSEC enabled.  From
this client, I was able to see that the fingerprint was marked as secure (so
?yes? will work without prompting etc.).

macOS doesn?t seem to do this.  I?ve read on various posts and messages that
supposedly mDNSResponder has ?some bits of code? in it to do stub/client
validation - but they aren?t turned on / fully fleshed out ?

I don?t really use Windows so I can?t speak to that.

So my actual question (which I apologize - technically isn?t about OpenSSH
itself?) - which OS / stub resolver combos can deliver what the ssh client is
expecting to mark a fingerprint as secure ?

Thanks.

On Thu, 15 Dec 2022 at 01:36, vom513 <vom513 at gmail.com>
wrote:
> However one thing that I?m still trying to wrap my head around is the
mechanism under the hood to mark fingerprints as ?secure?.
The thing you're looking for is the "Authenticated Data" or AD bit
(RFC3655) in your resolver library.  If your system resolver doesn't
support this OpenSSH can be built against LDNS (./configure
--with-ldns) which does.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.