[Bug 1898590] Re: Verify DNS fingerprints not working
Christian Ehrhardt
1898590 at bugs.launchpad.net
Wed Oct 14 10:37:42 UTC 2020
*** This bug is a duplicate of bug 1897744 ***
https://bugs.launchpad.net/bugs/1897744
TL;DR:
one affected by this upgrade triggered behavior change needs to set
options edns0 trust-ad
in /etc/resolv.conf to fix the issue.
And as usual, once you already know what things are about - then (but only then :-/ ) you find the important related issues - reported by Laney \o/
Subscribing him to the bug FYI
Debian bug
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960023
I'll add a bug link to Debian.
Discussed and declared to be systed issue and asked to file upstream.
Which led to ...
Systemd
https://github.com/systemd/systemd/issues/15767
This is fixed in newer systemd and will set trust-ad
I'll add a systemd task to consider backporting this to Focal
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1898590
Title:
Verify DNS fingerprints not working
Status in systemd:
Unknown
Status in glibc package in Ubuntu:
Invalid
Status in openssh package in Ubuntu:
Invalid
Status in systemd package in Ubuntu:
Fix Released
Status in systemd source package in Focal:
New
Status in openssh package in Debian:
Unknown
Bug description:
When setting in /etc/ssh/ssh_config VerifyHostKeyDNS to yes the fingerprints are fetched, but the result is always:
debug1: found n insecure fingerprints in DNS
With dig +dnssec -tsshfp hostname the result is ok: ad flg is set.
To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1898590/+subscriptions
More information about the foundations-bugs
mailing list