PuTTY wish sshfp-dns

PuTTY wish sshfp-dns

This is a mirror. The primary PuTTY web site can be found here.

Home | Licence | FAQ | Docs | Download | Keys | Links
Mirrors | Updates | Feedback | Changes | Wishlist | Team

summary: Support for host key fingerprints in DNS
class: wish: This is a request for an enhancement.
difficulty: tricky: Needs many tuits.
priority: low: We aren't sure whether to fix this or not.

We occasionally get requests to support reading SSH host key fingerprints from the DNS, as defined by RFC 4255.

To implement this, there are two major things to be dealt with:

  • Since the SSHFP DNS records are a type of record not natively supported by operating systems' resolvers, we'd firstly need access to the resolver at a level permitting us to query for SSHFP and parse the returned records directly (since I very much doubt we'd want to implement an entire resolver ourselves).

    At least some operating systems provide some suitable facilities:

    • OpenSSH (for Unix), for example, uses a function called getrrsetbyname(), which appears to exist natively on OpenBSD, and can perhaps also be provided by BIND9;
    • Portable OpenSSH also has a local version of this function based on the slightly lower-level res_query() in -lresolv, which is claimed to come from 4.3BSD and exists on at least Linux, NetBSD, and Solaris, so may be a better bet;
    • Similarly, recent versions of Windows (from 2000) provide DnsQuery(), which appears to be at the right level.
  • More importantly, the RFC expects that the records should be accompanied by trusted DNSSEC signatures. Many common operating systems don't obviously appear to provide DNSSEC facilities to clients (although OpenBSD getrrsetbyname() claims to), and I don't think we'd want to attempt to implement the whole of DNSSEC signature verification in PuTTY.

    If we can't trust the SSHFP records not to have been tampered with, they could only ever be used as a hint; for instance, to bring up a "host key has changed" dialog, or to mention in the "new host key" dialog. We wouldn't automatically accept a connection to an unknown host solely on the basis of an untrusted SSHFP record. (In fact, we might have to have use of DNS fingerprints off by default, to avoid the possible nuisance value of getting "host key changed" prompts based on DNS.)

    Even if the OS did indicate that it had verified a DNSSEC signature, I think we'd want the decision of whether PuTTY trusted that signature to be configurable.

All in all, on the platforms we support, what we could easily implement may not be useful enough to be worth the effort.

Audit trail for this wish.

If you want to comment on this web site, see the Feedback page.
(last revision of this bug record was at 2007-03-06 00:31:30 +0000)