lfilipoz at emyr
May 8, 2012, 9:20 PM
Dear OpenSSH Developers,
feature request: modify getrrsetbyname() to use libunbound
I'm a member of the Debian System Administration (DSA) team.  We
manage the Debian Projects computing infrastructure.
Recently, DSA had the opportunity to address a member's request that we
begin using certificates to authenticate Debian Project machines to ssh
clients. We provided a lengthy reply, the summary of which is "we
publish SSHFP records; use VerifyHostKeyDNS; set up a local caching
resolver to avoid MITM attacks".
That said, it seems rather cumbersome to have users install a local
caching resolver in order to secure the last mile of DNS queries (who
trusts their ISP, after all), so we postulated whether it would be
possible to modify openssh such that the ssh client could perform the
It turns out that this is quite straightforward to implement (see
preliminary patch, attached), entirely because you have have well
encapsulated the DNS query code.
Since we are quite concerned that our project members (let alone our
general user population) aren't managing their known_hosts in a secure
or timely manner, we are keen on using SSHFP records .. but only if the
DNSSEC last mile issue can be addressed in a relatively easy way for
We propose that openssh be modified as follows:
(1) introduce a new ssh_config directive: UnboundConfigurationFile
(2) modify getrrsetbyname() such that, if UnboundConfigurationFile is
set, then the unbound resolver is used; if not, then libc
(3) provide a default unbound configuration in /etc/ssh/ssh_unbound_conf
In this way, the standard mode of operation for ssh remains unchanged by
default. Users who would like to use SSHFP records in a secure manner
would set the configuration directive.
Please find attached a preliminary patch that modifies getrrsetbyname()
to use libunbound rather than libc.
We have proposed  this modification to the Debian openssh package
maintainers. Knowing that they (and we, too, frankly) would prefer the
modification to be adopted by upstream, I've subscribed to the
openssh-unix-dev list to begin the discussion (I've carbon copied my DSA
colleagues and the openssh package maintainers so that they are aware).
If there is interest in this proposal, I would be pleased to work with
you to complete the patch. (In the meantime, I'm using openssh patched
with libunbound on my macbook since OS/X's libc doesn't support DNSSEC.)
Thanks for your consideration,
Member, Debian System Administration Team