[Bug 1898590] Re: Verify DNS fingerprints not working

Wed Oct 14 10:30:35 UTC 2020

*** This bug is a duplicate of bug 1897744 ***
    https://bugs.launchpad.net/bugs/1897744

ok up/downgrading just "libc6" is enough to trigger.

I also found that libc6 from Eoan version 2.30-0ubuntu2.2 is good.
So it is new in 2.31!

The changelog mentions soem DNSSEC
https://sourceware.org/legacy-ml/libc-announce/2020/msg00001.html

"* The DNS stub resolver will optionally send the AD (authenticated
  data) bit in queries if the trust-ad option is set via the options
  directive in /etc/resolv.conf (or if RES_TRUSTAD is set in
  _res.options).  In this mode, the AD bit, as provided by the name
  server, is available to applications which call res_search and
  related functions.  In the default mode, the AD bit is not set in
  queries, and it is automatically cleared in responses, indicating a
  lack of DNSSEC validation.  (Therefore, the name servers and the
  network path to them are treated as untrusted.)"

Once I knew that it was a small step and I found that
  options edns0 trust-ad
in /etc/resolv.conf indeed fixes the issue.

I'm not sure if openssh would be entitled to set  RES_TRUSTAD is set in _res.options.
Maybe not as that is more a decision of the admin setting up and configuring the system than the openssh software.

Therefore I think this is actually a little detail that upgraders that
use dnssec for openssh (and maybe others) via libc6 resolv need to
consider.

** Bug watch added: Debian Bug tracker #960023
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960023

** Also affects: openssh (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960023
   Importance: Unknown
       Status: Unknown

** Bug watch added: github.com/systemd/systemd/issues #15767
   https://github.com/systemd/systemd/issues/15767

** Also affects: systemd via
   https://github.com/systemd/systemd/issues/15767
   Importance: Unknown
       Status: Unknown

** Also affects: systemd (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: systemd (Ubuntu)
       Status: New => Fix Released

** Also affects: glibc (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: openssh (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: systemd (Ubuntu Focal)
   Importance: Undecided
       Status: New

** No longer affects: glibc (Ubuntu Focal)

** Changed in: openssh (Ubuntu)
       Status: Confirmed => Invalid

** No longer affects: openssh (Ubuntu Focal)

** Changed in: glibc (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1898590

Title:
  Verify DNS fingerprints not working

Status in systemd:
  Unknown
Status in glibc package in Ubuntu:
  Invalid
Status in openssh package in Ubuntu:
  Invalid
Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Focal:
  New
Status in openssh package in Debian:
  Unknown

Bug description:
  When setting in /etc/ssh/ssh_config VerifyHostKeyDNS to yes the fingerprints are fetched, but the result is always:
  debug1: found n insecure fingerprints in DNS
  With dig +dnssec -tsshfp hostname the result is ok: ad flg is set.

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1898590/+subscriptions