should be compiled without ldns for secure SSHFP
| Task Info (Flyspray) | |
|---|---|
| Opened By | Mateusz Poliwczak (mateusz834) |
| Task ID | 76779 |
| Type | Bug Report |
| Project | Arch Linux |
| Category | Packages: Core |
| Version | None |
| OS | All |
| Opened | 2022-12-08 14:16:04 UTC |
| Status | Assigned |
| Assignee | Lukas Fleischer (lfleischer) |
| Assignee | David Runge (dvzrv) |
| Assignee | Levente Polyak (anthraxx) |
| Assignee | Giancarlo Razzolini (grazzolini) |
Details
When VerifyHostKeyDNS=yes is set, then the ssh client sends a SSHFP DNS query for the SSH fingerprints. Recently glibc introduced the trust-ad which strips the AD bit when the trust-ad option is not set in the resolv.conf, it seems that the ldns does not support this option so it blindly trusts the AD bit received from the dns query.
So let's say that our resolv.conf looks like that:
nameserver 1.1.1.1 optons ends0
Then when glibc receives the AD bit in the response from the 1.1.1.1 resolver the AD bit it removed (because we didn't specify that we trust it), but the ldns passes it as is to the application, which is insecure.