DNSSEC/SSHFP, getrrsetbyname(3), and resolv.conf(5)
holy hell this OS f'ckin rocks.
so i waste a day and a half because i forgot to
do a 'dnssec-enable yes;' in named.conf, totally my fault.
after i turn that on and setup named and my keys/zones
right ( or unbreak them, after the day and a half of barking
up the wrong tree... ), i find i have DNSSEC working for my SSHFP
records, as tested by dig ( i have 'ad' in the reply, and i get
RRSIG records printed in my Answer Sections ).
ssh, otoh, is still saying to me "found <NUM> insecure fingerprints in DNS".
i spend more time on it and read , and get to thinking, ok,
how the hell does ssh know if my resolver verified the SSHFP/RRSIG/DNSSEC
crap or not? i thought it has to be in the data given back to
ssh by the resolver.
so i peek in /usr/src/usr.sbin/dns.c, and find the verify_host_key_dns
function (?) and see it does some error checking and then it
so, what the hell i say, 'man getrrsetbyname'.
oh. look. there's a manpage.
so in getrsetbyname(3) i find:
If the EDNS0 option is activated in resolv.conf(5), getrrsetbyname() will
request DNSSEC authentication using the EDNS0 DNSSEC OK (DO) bit.
ok, so i check resolv.conf(5) and find:
options Allows certain internal resolver variables to be modified.
The syntax is:
options option ...
where option is one of the following:
debug Sets RES_DEBUG in _res.options.
edns0 attach OPT pseudo-RR for ENDS0 extension specified
in RFC 2671, to inform DNS server of our receive
buffer size. The option will allow DNS servers to
take advantage of non-default receive buffer size,
and to send larger replies. DNS query packets
with EDNS0 extension are not compatible with non-
EDNS0 DNS servers. The option must be used only
when all the DNS servers listed in nameserver
lines are able to handle EDNS0 extension.
The options keyword of a system's resolv.conf or resolv.conf.tail file
can be amended on a per-process basis by setting the environment variable
RES_OPTIONS to a space-separated list of resolver options as explained
so i 'export RES_OPTIONS=edns0'
$ ssh -vo verifyhostkeydns\ yes hk4801.hklocal.nodeless.net
OpenSSH_4.2, OpenSSL 0.9.7g 11 Apr 2005
debug1: found 1 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS