Bug 4706 - fetch ssh host keys via dns (dnssec)
Summary: fetch ssh host keys via dns (dnssec)
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Client (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Peter Åstrand
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-14 14:58 CEST by Pierre Ossman
Modified: 2022-12-13 13:16 CET (History)
0 users

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio 2013-06-14 14:58:42 CEST 
OpenSSH has the ability to fetch the server's host key from DNS and to verify it using DNSSEC. This is very useful from an administration point of view as you don't have to roll out clients with the host key preconfigured.

We should consider enabling this support in our ssh and also mention it in the documentation.
Comment 1 Pierre Ossman cendio 2013-06-18 12:09:26 CEST 
There are some security considerations as well. ssh cannot reasonably validate DNSSEC all the way to the root, so it has to trust the resolver. That means that:

 a) You trust that your resolver is friendly and hasn't been compromised

 b) You're on a network where an attacker cannot spoof replies from the resolver


This is probably true on a corporate network, but probably not for laptops that are often on public networks.
Note You need to log in before you can comment on or make changes to this bug.