https://bugzilla.mindrot.org/show_bug.cgi?id=2217
Jeremy Saklad <stadium-cyclops...@icloud.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |stadium-cyclops.0i@icloud.c | |om --- Comment #2 from Jeremy Saklad <stadium-cyclops...@icloud.com> --- This would be invaluable, particularly for services like Git. I try to maintain strict separation between machines and the services they provide, such that I can move the service to a different machine without disrupting access. I also want to provide multiple methods of access, such as through an onion service. I currently use these records to convey that: ``` _ssh._tcp.git.saklad5.com. 604800 IN SRV 0 0 22 yqxxaadd7hhmjzyier2jftbnzxw3ddvbm4ggz5y7yuxzmcxlpcmwdcyd.onion. _ssh._tcp.git.saklad5.com. 604800 IN SRV 1 0 22 baza.saklad5.com. ``` The principles of RFC 7673 and similar specs apply here: when using DANE, OpenSSH must validate the delegation with DNSSEC then query SSHFP records for the ultimate target. If any link in the chain of resolution isn't secured, validation fails. Assuming DNSSEC is used correctly, the records above should mean that `ssh g...@git.saklad5.com` is equivalent to `ssh git@ yqxxaadd7hhmjzyier2jftbnzxw3ddvbm4ggz5y7yuxzmcxlpcmwdcyd.onion:22`, falling back to `ssh g...@baza.saklad5.com:22`. In keeping with RFC 7686, OpenSSH would immediately skip the onion address unless configured with Tor support. -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs