diff options
| author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:01 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2014-02-10 02:40:16 +0000 |
| commit | a3e8cef2bae563fe8c87cf9f32511a0808dd47eb (patch) | |
| tree | fe3411138d5ce9d96190ad654d96b7eeefe352f3 /dns.c | |
| parent | 95e6f7afe0ca1c16c31845d6fa30453b45b73e0e (diff) | |
Force use of DNSSEC even if "options edns0" isn't in resolv.conf
This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Last-Update: 2010-04-06
Patch-Name: dnssec-sshfp.patch
Diffstat (limited to 'dns.c')
| -rw-r--r-- | dns.c | 14 |
1 files changed, 13 insertions, 1 deletions
| @@ -196,6 +196,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | |||
| 196 | { | 196 | { |
| 197 | u_int counter; | 197 | u_int counter; |
| 198 | int result; | 198 | int result; |
| 199 | unsigned int rrset_flags = 0; | ||
| 199 | struct rrsetinfo *fingerprints = NULL; | 200 | struct rrsetinfo *fingerprints = NULL; |
| 200 | 201 | ||
| 201 | u_int8_t hostkey_algorithm; | 202 | u_int8_t hostkey_algorithm; |
| @@ -219,8 +220,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | |||
| 219 | return -1; | 220 | return -1; |
| 220 | } | 221 | } |
| 221 | 222 | ||
| 223 | /* | ||
| 224 | * Original getrrsetbyname function, found on OpenBSD for example, | ||
| 225 | * doesn't accept any flag and prerequisite for obtaining AD bit in | ||
| 226 | * DNS response is set by "options edns0" in resolv.conf. | ||
| 227 | * | ||
| 228 | * Our version is more clever and use RRSET_FORCE_EDNS0 flag. | ||
| 229 | */ | ||
| 230 | #ifndef HAVE_GETRRSETBYNAME | ||
| 231 | rrset_flags |= RRSET_FORCE_EDNS0; | ||
| 232 | #endif | ||
| 222 | result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, | 233 | result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, |
| 223 | DNS_RDATATYPE_SSHFP, 0, &fingerprints); | 234 | DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints); |
| 235 | |||
| 224 | if (result) { | 236 | if (result) { |
| 225 | verbose("DNS lookup error: %s", dns_result_totext(result)); | 237 | verbose("DNS lookup error: %s", dns_result_totext(result)); |
| 226 | return -1; | 238 | return -1; |