Hello All,
We have found some peculiar behaviour around SSHFP records on ingress via the
PowerDNS API or pdnsutil, and before delving deeper, just reaching out here if
someone has the answer already.
Doing API RRSet update for SSHFPs is showing that:
* having malformed SHA256 fingerprint (hash size + 1) yields:
API:
git.test.net./SSHFP '1 2
e592ce9a630139e02d2b2c482814ec2fd39f1266b43c45cc669d1eb79'
Not in expected format (parsed as '1 2
e592ce9a630139e02d2b2c482814ec2fd39f1266b43c45cc669d1eb790' <- 0 on the end
pdnsutil:
pdnsutil add-record test.net git sshfp 600 "1 2
e592ce9a630139e02d2b2c482814ec2fd39f1266b43c45cc669d1eb79"
New rrset:
git.test.net. 600 IN SSHFP 1 2
e592ce9a630139e02d2b2c482814ec2fd39f1266b43c45cc669d1eb790 <- 0 on the end
* having malformed fingerprint of (hash size - 1) yields the same error with
the trailing 0 added:
{"error": "Record sshfp.test.net./SSHFP '1 2
e592ce9a630139e02d2b2c482814ec2fd39f1266b43c45cc669d1eb': Not in expected
format (parsed as '1 2
e592ce9a630139e02d2b2c482814ec2fd39f1266b43c45cc669d1eb0')”} <- 0 on the end
pdnsutil add-record test.net sshfp sshfp 600 "1 2
e592ce9a630139e02d2b2c482814ec2fd39f1266b43c45cc669d1eb"
New rrset:
sshfp.test.net. 600 IN SSHFP 1 2
e592ce9a630139e02d2b2c482814ec2fd39f1266b43c45cc669d1eb0 <- trailing zero
* testing malformed fingerprint size of (hash size +/- 2) is accepted with no
complaints from both API and pdnsutil
My question is:
* is there any validation on the SSHFP fingerprint size based on the hash type?
* where this trailing zero comes from on hash size of +/- 1?
Best,
Atanas
—
PGP: 0178 A605 C5E5 D207 E940 D109 BACE D962 BA03 327F
_______________________________________________
Pdns-users mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
