[Bug 1898590] Re: Verify DNS fingerprints not working

[Christian Ehrhardt ]

Something helpful for anyone looking into this later I found what seems
a good testcase without requiring too much a local setup (of a dnssec
dns server):


To get unbound (brute force) do:
apt install unbound
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo systemctl enable unbound-resolvconf
sudo systemctl enable unbound
# set 127.0.0.1
vim /etc/resolv.conf 

Now this should show the ad flag as reported:
$ dig salsa.debian.org -t sshfp
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

$ ssh -v -o "VerifyHostKeyDNS=yes" test at salsa.debian.org


This indeed (as reported), does show the changed behavior (clean LXD containers, just changes as mentioned above, edns0 set by default):

Bionic:
debug1: found 4 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS

Focal:
debug1: found 4 insecure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
The authenticity of host 'salsa.debian.org (209.87.16.44)' can't be established.
ED25519 key fingerprint is SHA256:OAD3pGSwcODIthxF+zIRvPTZ8UCJAYI75E42XDfGr84.
Matching host key fingerprint found in DNS.


** Changed in: openssh (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1898590

Title:
  Verify DNS fingerprints not working

Status in openssh package in Ubuntu:
  Confirmed

Bug description:
  When setting in /etc/ssh/ssh_config VerifyHostKeyDNS to yes the fingerprints are fetched, but the result is always:
  debug1: found n insecure fingerprints in DNS
  With dig +dnssec -tsshfp hostname the result is ok: ad flg is set.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1898590/+subscriptions