search for: ldns

https://bugzilla.mindrot.org/show_bug.cgi?id=2603 Bug ID: 2603 Summary: Build with ldns and without kerberos support fails if ldns compiled with kerberos support Product: Portable OpenSSH Version: 7.3p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Compone...

...uct: Portable OpenSSH Version: 6.2p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: grawity at gmail.com The ldns DNS resolver, as used by openbsd-compat/getrrsetbyname-ldns.c, always fails to verify the DNSSEC signatures: debug3: verify_host_key_dns debug2: ldns: got 6 answers from DNS debug2: ldns: trying to validate RRset debug2: ldns: got 1 signature(s) (RRTYPE 46) from DNS debug2: ldns: RRset validation...

...s indicate that the fix patch was included: https://www.openssh.com/txt/release-7.6 I tried 7.6 and I still cannot connect without a prompt wondering if I am really sure. ----------------- 7.4p1 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:<snip> debug3: verify_host_key_dns debug2: ldns: got 1 answers from DNS debug1: found 1 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS debug1: Next authentication method: publickey debug1: Offering RSA public key: ~/.ssh/id_rsa debug1: Server accepts key: pkalg rsa-sha2-512 blen 535 debug1: Authentication succeeded...

...55) to publish host key fingerprints in the DNS. However, some non-OpenBSD platforms don't support DNSSEC in the native resolver (e.g. glibc), which renders the whole thing quite useless, since openssh correctly requires the RRs to be signed and validated. The following patch adds support for ldns, an external resolver library, with the following functionality: - Set DO on the SSHFP query - Support AD if the answer comes from a validating resolver - Support autonomous validation using a configured trust anchor in case the answer is not marked as authentic. It depends on the SVN version of...

https://bugzilla.mindrot.org/show_bug.cgi?id=2702 Bug ID: 2702 Summary: ssh compiled with --with-ldns segfaults during known_hosts parsing Product: Portable OpenSSH Version: 7.5p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigne...

https://bugzilla.mindrot.org/show_bug.cgi?id=2697 Bug ID: 2697 Summary: Portable OpenSSH 7.5 can't build with ldns using ldns-config Product: Portable OpenSSH Version: 7.5p1 Hardware: All OS: All Status: NEW Severity: trivial Priority: P5 Component: Build system Assignee: unassigned-bugs at min...

> I replaced the ldns code with getdns. Works fine for more than a year now. > I am interested in how you did that. Would you mind sharing your procedure? > I don't think anybody cares. I tried to tell people. But that had no > effect. > There certainly is not as much talk about it as I would expect...

This is an epel package but I thought that I would ask here first. I am encountering unexpected behaviour from this program and I would like to know if it is a bug, or I am configuring something wrong, of if this is intended behaviour. ldns-dane version 1.6.16 (ldns version 1.6.16) When I attempt to specify the entire certificate as the desired data source for this program I get the following error: ldns-dane \ -n -o 0 \ -c CA_HLL_ROOT_2016.pem \ create harte-lyne.ca 443 \ 2 0 2 <selector> should be in range [0-1]...

https://bugzilla.mindrot.org/show_bug.cgi?id=2708 Bug ID: 2708 Summary: openssh: 7.5p1 update breaks ldns/sshfp Product: Portable OpenSSH Version: 7.5p1 Hardware: Other OS: FreeBSD Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: mindrot...

I am reading: https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-bind-rndc.html I have bind installed and default config running. I have not applied my customizations yet. The first step I am taking is getting rndc.key created. So reading the guide I am trying to run (while logged in as root, and in /etc): dnssec-keygen -a hmac-md5 -b 256 -n HOST rndc.key The system is just

https://bugzilla.mindrot.org/show_bug.cgi?id=3215 Bug ID: 3215 Summary: Reference to ldns.3.dylib is an error Product: Portable OpenSSH Version: 8.4p1 Hardware: amd64 OS: Mac OS X Status: NEW Severity: critical Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org...

https://bugzilla.mindrot.org/show_bug.cgi?id=2022 Bug #: 2022 Summary: ssh segfaults when using ldns, SSHFP, a DNSSEC-enabled resolver and a CNAME Classification: Unclassified Product: Portable OpenSSH Version: 6.0p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Compon...

http://bugzilla.mindrot.org/show_bug.cgi?id=1320 Summary: Add support for ldns Product: Portable OpenSSH Version: -current Platform: Other OS/Version: Linux Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: bitbucket at mindrot.org ReportedBy: svallet at ge...

https://bugzilla.mindrot.org/show_bug.cgi?id=2022 --- Comment #2 from Darren Tucker <dtucker at zip.com.au> --- Patch applied, thanks. I still don't understand how it gets into this state since the space should be allocated immediately beforehand: if (rrset->rri_nsigs > 0) { rrset->rri_sigs = calloc(rrset->rri_nsigs,

https://bugzilla.mindrot.org/show_bug.cgi?id=2022 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #5 from Damien Miller <djm at mindrot.org> --- Set all RESOLVED bugs to CLOSED with release

https://bugzilla.mindrot.org/show_bug.cgi?id=1320 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #16 from Damien Miller <djm at mindrot.org> --- Close all resolved bugs after 7.3p1 release

...sshed as > another session and do not see any processing being done by dnssec-keygen. > > Has anyone else done this? Am I doing things in the right order? If it > works for others, then there is something wrong with my setup... It's working fine for me. I'm using the command ldns-keygen to generate keys though - e.g. ZSK=`/usr/bin/ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 1024 ${zone}` and KSK=`/usr/bin/ldns-keygen -k -a RSASHA1-NSEC3-SHA1 -b 2048 ${zone}` ldns-keygen is from the ldns package. Mine is currently all scripted and automated, has been for months - I started wi...

...t see any processing being done by >> dnssec-keygen. >> >> Has anyone else done this? Am I doing things in the right order? If it >> works for others, then there is something wrong with my setup... > > It's working fine for me. > > I'm using the command ldns-keygen to generate keys though - e.g. > > ZSK=`/usr/bin/ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 1024 ${zone}` > > and > > KSK=`/usr/bin/ldns-keygen -k -a RSASHA1-NSEC3-SHA1 -b 2048 ${zone}` > > ldns-keygen is from the ldns package. > > Mine is currently all scripted and a...

On 2/12/19 10:55 PM, Alice Wonder wrote: > DNSSEC keys do not expire. Signatures do expire. How long a signature > is good for depends upon the software generating the signature, some > lets you specify. ldns I believe defaults to 60 days but I am not sure. > > The keys are in DNSSKEY records that are signed by your Key Signing > Key and must be resigning before the signature expires or they will no > longer validate. > > Likewise, the other records in the zone must be resigned by yo...

Last weekend I had my DNSSEC keys expire. I discovered that they had expired the hard way... namely randomly websites could not be found and email did not get delivered. It seems that the keys were only valid for what I estimate was about 30 days. It is a real PITA to have update the keys, restart named and then update Godaddy with new digests. The first part of the problem is fairly