As related in the original ticket description, all this stuff is working fine under NetBSD; the issue is not with the data, but with Ubuntu. In particular, there's certainly an issue with Ubuntu glibc that will simply not allow it to check the AD bit.
While we only reported this recently, I'm wondering if this bug has languished for years in glibc because nobody understands what the AD bit is used for. Let me give you one example of the current situation: 1. Try to ssh to foo.cynic.net, with authentication forwarding. 2. OpenSSH looks up the IP address in DNS, but this has been intercepted by the attacker. 3. The resolver cannot authenticate so we carry on. 4. Look up the SSHFP record in DNS, which may also have been intercepted by the attacker. 5. The resolver cannot authenticate this, so OpenSSH (correctly) refuses to use it. 6. User gets an, "Unknown host, fingerprint is blah blah" message. At this point, it goes one of two different ways. 7. User foolishly says, "it's ok, continue", and connects to hostile system. 8. Hostile system uses user's SSH authentication channel to log in to and subvert other systems to which the user has access. 9. User a few seconds later, realizes he's on some weird system and logs out, but the damage is done. Or, if the user is a bit smarter: 7. User says, "no don't connect to an untrusted host. 8. User tries to find some out-of-band way to figure out the fingerprint of the host he really wants to connect to. 9. User then realizes that he's under attack. We get around this by manually generating and copying around (to /etc/ssh/ssh_known_hosts) a file of public keys for our systems. This costs us time and money. -- Bind9 (8.04) not returning 'ad' flag when dnssec is enabled https://bugs.launchpad.net/bugs/242956 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
