From a2e78317862f864feee24cf0e1dbfb203e9f041b Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Tue, 6 Apr 2010 23:19:19 +0100 Subject: Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 is installed, the host key is published in an SSHFP RR secured with DNSSEC, and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key verification (closes: #572049). --- dns.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'dns.c') diff --git a/dns.c b/dns.c index 2e7bb5aae..30c89ebec 100644 --- a/dns.c +++ b/dns.c @@ -176,6 +176,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, { u_int counter; int result; + unsigned int rrset_flags = 0; struct rrsetinfo *fingerprints = NULL; u_int8_t hostkey_algorithm; @@ -199,8 +200,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, return -1; } + /* + * Original getrrsetbyname function, found on OpenBSD for example, + * doesn't accept any flag and prerequisite for obtaining AD bit in + * DNS response is set by "options edns0" in resolv.conf. + * + * Our version is more clever and use RRSET_FORCE_EDNS0 flag. + */ +#ifndef HAVE_GETRRSETBYNAME + rrset_flags |= RRSET_FORCE_EDNS0; +#endif result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, - DNS_RDATATYPE_SSHFP, 0, &fingerprints); + DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints); + if (result) { verbose("DNS lookup error: %s", dns_result_totext(result)); return -1; -- cgit v1.2.3