search for: rrtype

http://bugzilla.mindrot.org/show_bug.cgi?id=1317 Summary: ssh uses obsolete SIG RRtype Product: Portable OpenSSH Version: -current Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: bitbucket at mindrot.org ReportedBy: svallet at genosco...

...Reporter: grawity at gmail.com The ldns DNS resolver, as used by openbsd-compat/getrrsetbyname-ldns.c, always fails to verify the DNSSEC signatures: debug3: verify_host_key_dns debug2: ldns: got 6 answers from DNS debug2: ldns: trying to validate RRset debug2: ldns: got 1 signature(s) (RRTYPE 46) from DNS debug2: ldns: RRset validation failed: General LDNS error debug1: found 6 insecure fingerprints in DNS The problem is that ldns is not being given any trust anchor, so it defaults to an empty list and automatically fails. This makes the ldns support useless when used standalone (i.e....

https://bugzilla.mindrot.org/show_bug.cgi?id=2022 --- Comment #2 from Darren Tucker <dtucker at zip.com.au> --- Patch applied, thanks. I still don't understand how it gets into this state since the space should be allocated immediately beforehand: if (rrset->rri_nsigs > 0) { rrset->rri_sigs = calloc(rrset->rri_nsigs,

...and sftp(1) progressmeter type fixes. (bz#842) - SSH2_MSG_UNIMPLEMENTED packets did not correctly reset the client keepalive logic, causing disconnections on servers that did not explicitly implement "keepalive at openssh.com". (bz#1307) - ssh(1) used the obsolete SIG DNS RRtype for host keys in DNS, instead of the current standard RRSIG. (bz#1317) - Extract magic buffer size constants in scp(1) to #defines. (bz#1333) - Correctly drain ACKs when a sftp(1) upload write fails midway, avoids a fatal() exit from what should be a recoverable condition....

...and sftp(1) progressmeter type fixes. (bz#842) - SSH2_MSG_UNIMPLEMENTED packets did not correctly reset the client keepalive logic, causing disconnections on servers that did not explicitly implement "keepalive at openssh.com". (bz#1307) - ssh(1) used the obsolete SIG DNS RRtype for host keys in DNS, instead of the current standard RRSIG. (bz#1317) - Extract magic buffer size constants in scp(1) to #defines. (bz#1333) - Correctly drain ACKs when a sftp(1) upload write fails midway, avoids a fatal() exit from what should be a recoverable condition....

...ed_keys = ldns_rr_list_new(); + + debug2("ldns: trying to validate RRset"); + /* Get eventual sigs */ + rrsigs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_RRSIG, LDNS_SECTION_ANSWER); + rrset->rri_nsigs = ldns_rr_list_rr_count(rrsigs); + debug2("ldns: Got %u sigs (RRTYPE %u) from DNS", rrset->rri_nsigs, LDNS_RR_TYPE_RRSIG); + + if ((err = ldns_verify_trusted(ldns_res, rrdata, rrsigs, trusted_keys)) == LDNS_STATUS_OK) { + rrset->rri_flags |= RRSET_VALIDATED; + debug2("ldns: RRset is signed with a valid key"); + } else { + de...