SSHFP DNS - OS / stub resolvers that deliver "secured" answers ?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hello,

I just set up SSHFP for a handful of boxes that I run.  In reading through the docs and experimenting - I think I have a good grasp of the expected behavior and options (no/ask/yes).

However one thing that I’m still trying to wrap my head around is the mechanism under the hood to mark fingerprints as “secure”.  My domain for this is fully DNSSEC / validates.  My home network resolver has DNSSEC validation enabled as well.  All good on the DNSSEC zone/server/resolver front.  

It seems like to get a “secure fingerprint” response, the only combination I saw working is a Linux client running systemd-resolved with DNSSEC enabled.  From this client, I was able to see that the fingerprint was marked as secure (so “yes” will work without prompting etc.).

macOS doesn’t seem to do this.  I’ve read on various posts and messages that supposedly mDNSResponder has “some bits of code” in it to do stub/client validation - but they aren’t turned on / fully fleshed out ?

I don’t really use Windows so I can’t speak to that.

So my actual question (which I apologize - technically isn’t about OpenSSH itself…) - which OS / stub resolver combos can deliver what the ssh client is expecting to mark a fingerprint as secure ?

Thanks.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux