Re: [tlug] SSH Issues

[Curt Sampson <cjs@example.com>]

On 2008-11-18 16:34 +0900 (Tue), Stephen J. Turnbull wrote:
> ...
> I assume the spew means that for some reason (probably linking against
> the BIND 8 resolver) dig is unable to authenticate, and so just
> returns all the resource records it received.

I think you are confused about the authentication. Normally, the
resolver doesn't authenticate the records (though you can ask dig to
do so with the key I gave you, if you check the options carefully).
It's your (trusted) resolving server that's normally doing the
authentication, and the libc resolver just relays whether the server
claims to have authenticated the records or not.

> But on Gentoo there doesn't even seem to be a USE flag for resolver v9
> for bind-tools (ie, the package that provides dig).

I would think it's automatic; bind9 dig has always, for me, used the
bind9 resolver library.

> Borrow enough of the OpenSSH code to get the host's public key, say
> "thank you", maybe-replace the key into the known_hosts file, and call
> SSH for real, maybe?  That much of the protocol can't be all that hard
> to get "good enough", can it?

As I mentioned, that's pretty much exactly what we do. No need to borrow
source: the ssh-keyscan will give you back the known_hosts entry. But
it's a bit of a pain, no? And it's also not secure to rely on comparing
the result against the SSHFP record unless you can authenticate the
SSHFP record.

> Getting it fixed is hard enough, but forget about getting it deployed.
> A real fix would involve a full move to BIND 9 resolver in glibc....

glibc is still using the BIND 8 resolver? Holy heck. Makes me wonder
what other chunks of ancient and creaky software are kicking around in
glibc.

> Geez, Curt, you of all people should know that that is presumably
> exactly the braindamaged process that led to the current impasse:
> people unwilling to wait for a full move to BIND 9 adding a few
> features *they* thought were "critical bug fixes" (because they'd been
> personally inconvenienced) to the resolver code....

This is not just "personal inconvenience;" it's a security issue. The
recent whole big brou-ha-ha over DNS spoofing attacks (which have been
happening in the wild for some time) is something that is mitigated to a
great degree, but not solved, by the patches. It was never a problem for
any zones using secure DNS.

> But a move to BIND 9 is not the kind of thing you can do in a quickie
> patch, especially not if you want to claim the security stuff is going
> to work.

Actually, the security stuff in the resolver is not nearly as tricky
as you make it out. And while I understand that the move to the bind9
resolver is non-trivial I would trust it to be correct much more than
crufty-old bind8 code that has had patches piled on by folks who are
incapable of upgrading the resolver to bind9.

cjs
-- 
Curt Sampson       <cjs@example.com>        +81 90 7737 2974   
Mobile sites and software consulting: http://www.starling-software.com