Hi Everyone,

I noticed OpenSSH offers integration with NetLab's ldns (https://github.com/NLnetLabs/ldns). As I understand things, ldns provides DNSSEC functionality. It looks like a very useful library.

I'm having trouble testing ldns. The tarball has a 'make check' recipe, but the source files are missing and it causes a make failure. The GitHub source files include the test framework, but lack a program called tpkg and the script accesses private
company URLs so 'make check' fails there, too.

My question is, has anyone been able to successfully acceptance test the library? If so, then how did you do it?

(I was able to successfully test NetLabs Unbound library, so I don't expect to find anything suspicious or egregious. But it would be nice to test the library and obtain some assurances).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 5/15/19 8:38 PM, noloader@gmail.com wrote:

Hi Everyone,

Hi,

I noticed OpenSSH offers integration with NetLab's ldns (https://github.com/NLnetLabs/ldns). As I understand things, ldns
provides DNSSEC functionality. It looks like a very useful library.

What does ldns provide that other DNS resolver libraries don't provide?

I'm about 95% certain that I've gotten OpenSSH to trust a DNSSEC signed
SSHFP record and not prompt many times before.

I'm guessing that I'm missing something.



--
Grant. . . .
unix || die

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 5/15/19 10:19 PM, Jeffrey Walton wrote:

Hi Grant. I can't answer, sorry. Maybe the OpenSSH dev's can provide
an answer. I'm hazarding a guess the devs had a compelling reason to
add support for it.

The only thing that I can find is that without ldns, OpenSSH relies on
external DNSSEC resolver infrastructure. I'm guessing that maybe ldns
does the DNSSEC validation itself and doesn't need to rely on an
external DNSSEC resolver infrastructure.

¯\_(ツ)_/¯



--
Grant. . . .
unix || die

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thursday, May 16, 2019 at 12:11:10 AM UTC-4, Grant Taylor wrote:

On 5/15/19 8:38 PM, noloader@gmail.com wrote:

I noticed OpenSSH offers integration with NetLab's ldns (https://github.com/NLnetLabs/ldns). As I understand things, ldns
provides DNSSEC functionality. It looks like a very useful library.

What does ldns provide that other DNS resolver libraries don't provide?

Hi Grant. I can't answer, sorry. Maybe the OpenSSH dev's can provide an answer. I'm hazarding a guess the devs had a compelling reason to add support for it.

Here is what I am seeing when I run configure:

goldmont:openssh-8.0p1$ ./configure --help
`configure' configures OpenSSH Portable to adapt to many kinds of systems.
...

Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
--without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL**
--without-stackprotect Don't use compiler's stack protection
--without-hardening Don't use toolchain hardening flags
--without-rpath Disable auto-added -R linker paths
--with-cflags Specify additional flags to pass to compiler
--with-cflags-after Specify additional flags to pass to compiler after configure
--with-cppflags Specify additional flags to pass to preprocessor
--with-ldflags Specify additional flags to pass to linker
--with-ldflags-after Specify additional flags to pass to linker after configure
--with-libs Specify additional libraries to link with
--with-Werror Build main code with -Werror
--with-solaris-contracts Enable Solaris process contracts (experimental)
--with-solaris-projects Enable Solaris projects (experimental)
--with-solaris-privs Enable Solaris/Illumos privileges (experimental)
--with-osfsia Enable Digital Unix SIA
--with-zlib=PATH Use zlib in PATH
--without-zlib-version-check Disable zlib version check
--with-ldns[=PATH] Use ldns for DNSSEC support (optionally in PATH)
--with-libedit[=PATH] Enable libedit support for sftp
--with-audit=module Enable audit support (modules=debug,bsm,linux)
--with-pie Build Position Independent Executables if possible
--with-ssl-dir=PATH Specify path to OpenSSL installation
--without-openssl-header-check Disable OpenSSL version consistency check
--with-ssl-engine Enable OpenSSL (hardware) ENGINE support
--with-prngd-port=PORT read entropy from PRNGD/EGD TCP localhost:PORT
--with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)
--with-pam Enable PAM support
--with-pam-service=name Specify PAM service name
--with-privsep-user=user Specify non-privileged user for privilege separation
--with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)
--with-selinux Enable SELinux support
--with-kerberos5=PATH Enable Kerberos 5 support
--with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
--with-xauth=PATH Specify path to xauth program
--with-maildir=/path/to/mail Specify your system mail directory
--with-mantype=man|cat|doc Set man page type
--with-md5-passwords Enable use of MD5 passwords
--without-shadow Disable shadow password support
--with-ipaddr-display Use ip address instead of hostname in $DISPLAY
--with-default-path= Specify default $PATH environment for server
--with-superuser-path= Specify different path for super-user
--with-4in6 Check for and convert IPv4 in IPv6 mapped addresses
--with-bsd-auth Enable BSD auth support
--with-pid-dir=PATH Specify location of sshd.pid file
--with-lastlog=FILE|DIR specify lastlog location common locations

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)