similar to: [Bug 2022] New: ssh segfaults when using ldns, SSHFP, a DNSSEC-enabled resolver and a CNAME

https://bugzilla.mindrot.org/show_bug.cgi?id=2022 --- Comment #2 from Darren Tucker <dtucker at zip.com.au> --- Patch applied, thanks. I still don't understand how it gets into this state since the space should be allocated immediately beforehand: if (rrset->rri_nsigs > 0) { rrset->rri_sigs = calloc(rrset->rri_nsigs,

Hi, as discussed before, we're trying to make use of SSHFP records (RFC 4255) to publish host key fingerprints in the DNS. However, some non-OpenBSD platforms don't support DNSSEC in the native resolver (e.g. glibc), which renders the whole thing quite useless, since openssh correctly requires the RRs to be signed and validated. The following patch adds support for ldns, an external

https://bugzilla.mindrot.org/show_bug.cgi?id=2022 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #5 from Damien Miller <djm at mindrot.org> --- Set all RESOLVED bugs to CLOSED with release

https://bugzilla.mindrot.org/show_bug.cgi?id=2119 Bug ID: 2119 Summary: SSHFP with DNSSEC ? no trust anchors given, validation always fails Product: Portable OpenSSH Version: 6.2p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component:

https://bugzilla.mindrot.org/show_bug.cgi?id=2708 Bug ID: 2708 Summary: openssh: 7.5p1 update breaks ldns/sshfp Product: Portable OpenSSH Version: 7.5p1 Hardware: Other OS: FreeBSD Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-bugs at

> I replaced the ldns code with getdns. Works fine for more than a year now. > I am interested in how you did that. Would you mind sharing your procedure? > I don't think anybody cares. I tried to tell people. But that had no > effect. > There certainly is not as much talk about it as I would expect there to be.

I have been running openSSH 7.4p1 for a while now. When I upgraded to 7.5 a year or so ago I ran into the problem listed in this bug report: Bug report: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218472 The release notes for 7.6 release notes indicate that the fix patch was included: https://www.openssh.com/txt/release-7.6 I tried 7.6 and I still cannot connect without a prompt wondering

https://bugzilla.mindrot.org/show_bug.cgi?id=2603 Bug ID: 2603 Summary: Build with ldns and without kerberos support fails if ldns compiled with kerberos support Product: Portable OpenSSH Version: 7.3p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5

Hi, I found a small issue with DNSSEC validation of SSHFP lookups. (For reference I used OpenSSH 6.8p1 on FreeBSD 10.1). The issues is that when DNSSEC valiation fails, ssh displays a confusing message to the user. When DNSSEC validation of a SSHFP record fails, ssh presents the user with "Matching host key fingerprint found in DNS. "Are you sure you want to continue connecting

http://bugzilla.mindrot.org/show_bug.cgi?id=1320 Summary: Add support for ldns Product: Portable OpenSSH Version: -current Platform: Other OS/Version: Linux Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: bitbucket at mindrot.org ReportedBy: svallet at

https://bugzilla.mindrot.org/show_bug.cgi?id=2697 Bug ID: 2697 Summary: Portable OpenSSH 7.5 can't build with ldns using ldns-config Product: Portable OpenSSH Version: 7.5p1 Hardware: All OS: All Status: NEW Severity: trivial Priority: P5 Component: Build system

OpenSSH 9.3 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested

This is an epel package but I thought that I would ask here first. I am encountering unexpected behaviour from this program and I would like to know if it is a bug, or I am configuring something wrong, of if this is intended behaviour. ldns-dane version 1.6.16 (ldns version 1.6.16) When I attempt to specify the entire certificate as the desired data source for this program I get the following

https://bugzilla.mindrot.org/show_bug.cgi?id=3215 Bug ID: 3215 Summary: Reference to ldns.3.dylib is an error Product: Portable OpenSSH Version: 8.4p1 Hardware: amd64 OS: Mac OS X Status: NEW Severity: critical Priority: P5 Component: ssh Assignee: unassigned-bugs at

https://bugzilla.mindrot.org/show_bug.cgi?id=2702 Bug ID: 2702 Summary: ssh compiled with --with-ldns segfaults during known_hosts parsing Product: Portable OpenSSH Version: 7.5p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh

On 12/24/2015 12:40 PM, Robert Moskowitz wrote: > I am reading: > > https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-bind-rndc.html > > I have bind installed and default config running. I have not applied my > customizations yet. The first step I am taking is getting rndc.key > created. So reading the guide I am trying to run (while logged in as > root, and

On 12/24/2015 03:50 PM, Alice Wonder wrote: > > > On 12/24/2015 12:40 PM, Robert Moskowitz wrote: >> I am reading: >> >> https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-bind-rndc.html >> >> >> I have bind installed and default config running. I have not applied my >> customizations yet. The first step I am taking is getting

Hi, I submitted a patch back in November of 2009 to add local validation of DNSSEC record to openssh. I recent updated the patch for 5.8, and figured I do a little marketing while I'm at it. :-) Someone had previously submitted a patch which simply trusted the AD bit in the response, which is susceptible to spoofing by anyone who can inject packets between the resolver and the client. Our

On 2/12/19 11:49 PM, Paul R. Ganci wrote: > > On 2/12/19 10:55 PM, Alice Wonder wrote: >> DNSSEC keys do not expire. Signatures do expire. How long a signature >> is good for depends upon the software generating the signature, some >> lets you specify. ldns I believe defaults to 60 days but I am not sure. >> >> The keys are in DNSSKEY records that are signed

On 2/12/19 7:26 PM, Paul R. Ganci wrote: > Last weekend I had my DNSSEC keys expire. I discovered that they had > expired the hard way... namely randomly websites could not be found and > email did not get delivered. It seems that the keys were only valid for > what I estimate was about 30 days. It is a real PITA to have update the > keys, restart named and then update Godaddy