Improve SSHFP record support

New ideas and constructive comments go here.

Moderator: Moderators

Post Reply
candrews
Posts: 31
Joined: Thu Jul 24, 2008 11:50 am
Contact:

Improve SSHFP record support

Post by candrews » Mon Mar 30, 2015 8:40 am

The SSHFP record interface only supports fingerprint type 1 (SHA-1) - it would be pretty great to also support FP 2 (which is SHA-256).

It also only supports algorithms 1 (RSA) and 2 (DSA). It would likewise be nice to support algorithms 3 (ECDSA) and 4 (Ed25519).

These supplements to SSHFP are described at https://tools.ietf.org/html/rfc6594 and http://www.iana.org/go/rfc7479

Thanks!

Seth
Site Admin
Posts: 295
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada
Contact:

Re: Improve SSHFP record support

Post by Seth » Mon Mar 30, 2015 8:49 am

The PowerDNS docs only reference RFC 4255, so I can't say right now without checking the source code if it'll allow more than that or not.
Seth Mattinen, Roller Network LLC

candrews
Posts: 31
Joined: Thu Jul 24, 2008 11:50 am
Contact:

Re: Improve SSHFP record support

Post by candrews » Thu Apr 28, 2016 6:41 am

I just took a look through the PowerDNS source code at https://github.com/PowerDNS/pdns/search?q=sshfp PowerDNS doesn't do any checking on the algorithm or fptype fields of the SSHFP records - it simply requires them to be integers.

I also contacted PowerDNS and asked them to add RFC 6594 and RFC 7479 to their compliance page at https://www.powerdns.com/compliance.html

Thanks!

candrews
Posts: 31
Joined: Thu Jul 24, 2008 11:50 am
Contact:

Re: Improve SSHFP record support

Post by candrews » Thu Jun 09, 2016 8:13 am

*bump*

This seems like it should be a really easy to change to make... just add a couple new options to the drop down :)

candrews
Posts: 31
Joined: Thu Jul 24, 2008 11:50 am
Contact:

Re: Improve SSHFP record support

Post by candrews » Thu Sep 22, 2016 8:39 am

This really does seem super simple. Can you please make this improvement?

Seth
Site Admin
Posts: 295
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada
Contact:

Re: Improve SSHFP record support

Post by Seth » Tue May 30, 2017 1:18 pm

I'm looking at our code for SSHFP type and it appears this is already done as far as the ACC is concerned (last change date is Dec. 4, 2016). Is it not working?
Seth Mattinen, Roller Network LLC

candrews
Posts: 31
Joined: Thu Jul 24, 2008 11:50 am
Contact:

Re: Improve SSHFP record support

Post by candrews » Tue May 30, 2017 1:50 pm

I never noticed the change was done...I stopped checking :D

Thanks!
~Craig

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests