Improve SSHFP record support

New ideas and constructive comments go here.

Moderator: Moderators

Post Reply
candrews
Posts: 40
Joined: Thu Jul 24, 2008 11:50 am
Contact:

Improve SSHFP record support

Post by candrews »

The SSHFP record interface only supports fingerprint type 1 (SHA-1) - it would be pretty great to also support FP 2 (which is SHA-256).

It also only supports algorithms 1 (RSA) and 2 (DSA). It would likewise be nice to support algorithms 3 (ECDSA) and 4 (Ed25519).

These supplements to SSHFP are described at https://tools.ietf.org/html/rfc6594 and http://www.iana.org/go/rfc7479

Thanks!
Seth
Site Admin
Posts: 309
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada
Contact:

Re: Improve SSHFP record support

Post by Seth »

The PowerDNS docs only reference RFC 4255, so I can't say right now without checking the source code if it'll allow more than that or not.
Seth Mattinen, Roller Network LLC
candrews
Posts: 40
Joined: Thu Jul 24, 2008 11:50 am
Contact:

Re: Improve SSHFP record support

Post by candrews »

I just took a look through the PowerDNS source code at https://github.com/PowerDNS/pdns/search?q=sshfp PowerDNS doesn't do any checking on the algorithm or fptype fields of the SSHFP records - it simply requires them to be integers.

I also contacted PowerDNS and asked them to add RFC 6594 and RFC 7479 to their compliance page at https://www.powerdns.com/compliance.html

Thanks!
candrews
Posts: 40
Joined: Thu Jul 24, 2008 11:50 am
Contact:

Re: Improve SSHFP record support

Post by candrews »

*bump*

This seems like it should be a really easy to change to make... just add a couple new options to the drop down :)
candrews
Posts: 40
Joined: Thu Jul 24, 2008 11:50 am
Contact:

Re: Improve SSHFP record support

Post by candrews »

This really does seem super simple. Can you please make this improvement?
Seth
Site Admin
Posts: 309
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada
Contact:

Re: Improve SSHFP record support

Post by Seth »

I'm looking at our code for SSHFP type and it appears this is already done as far as the ACC is concerned (last change date is Dec. 4, 2016). Is it not working?
Seth Mattinen, Roller Network LLC
candrews
Posts: 40
Joined: Thu Jul 24, 2008 11:50 am
Contact:

Re: Improve SSHFP record support

Post by candrews »

I never noticed the change was done...I stopped checking :D

Thanks!
~Craig
Post Reply