https://bugzilla.mindrot.org/show_bug.cgi?id=2217
Jeremy Saklad <stadium-cyclops...@icloud.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |stadium-cyclops.0i@icloud.c
| |om
--- Comment #2 from Jeremy Saklad <stadium-cyclops...@icloud.com> ---
This would be invaluable, particularly for services like Git.
I try to maintain strict separation between machines and the services
they provide, such that I can move the service to a different machine
without disrupting access. I also want to provide multiple methods of
access, such as through an onion service. I currently use these records
to convey that:
```
_ssh._tcp.git.saklad5.com. 604800 IN SRV 0 0 22
yqxxaadd7hhmjzyier2jftbnzxw3ddvbm4ggz5y7yuxzmcxlpcmwdcyd.onion.
_ssh._tcp.git.saklad5.com. 604800 IN SRV 1 0 22
baza.saklad5.com.
```
The principles of RFC 7673 and similar specs apply here: when using
DANE, OpenSSH must validate the delegation with DNSSEC then query SSHFP
records for the ultimate target. If any link in the chain of resolution
isn't secured, validation fails.
Assuming DNSSEC is used correctly, the records above should mean that
`ssh g...@git.saklad5.com` is equivalent to `ssh git@
yqxxaadd7hhmjzyier2jftbnzxw3ddvbm4ggz5y7yuxzmcxlpcmwdcyd.onion:22`,
falling back to `ssh g...@baza.saklad5.com:22`. In keeping with RFC
7686, OpenSSH would immediately skip the onion address unless
configured with Tor support.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
