SSHFP observation

Mark Andrews marka at isc.org
Fri Feb 1 01:05:21 UTC 2019 


> On 1 Feb 2019, at 11:34 am, Alan Clegg <alan at clegg.com> wrote:
> 
> On 1/31/19 7:19 PM, Mark Andrews wrote:
> 
>>> Question: How does named (actually 'dig') know that any given data (in
>>> this case "AA") can't be a fingerprint?
>>> Difficulty: You are only allowed to use the information provided in RFC
>>> 4255 and errata in your answer.
>> 
>> Mathematics.  I’ll presume I can use all of the RFC some of which state
>> minimum sizes for cryptographic hashes.  Developers are expected to use
>> all their knowledge.
> 
> Developers are supposed to follow the RFC.  For "future proofing", I
> can't see adding a constraint that isn't in the RFC.

RFC’s don’t always specify what is needed.  They are written by humans
and sometimes there is no answer yet.

>> There is no minimum size on that field though clearly 8 bits
>> is insane. Is a empty field allowed?
> 
> I'm not going to question anyone's sanity.  We do DNS for a living.  How
> sane is that?  Hmmmmm?  Yeah, thought so.

It could indicate that SSH is not supported at on this host along with 0 0
in the first two field.  That hasn’t been defined yet to the best of my knowledge
but it could be.  The future is hard to predict, but we still need to allow for it.

		c.f. example.com. MX 0 .

>>> My reading: The RFC doesn't specify what a fingerprint is other than "an
>>> opaque octet string [..] which is placed as-is in the RDATA fingerprint
>>> field.”
>> 
>> It also specifies that 1 is SHA-1 and there is a followup RFC that specifies
>> 2 is SHA256.  In this case the record is clearly wrong as it is too short
>> to be SHA1.
> 
> That means that we have a BUNCH of "still to be allocated" algorithms.
> I'm not smart enough to say exactly what they are going to need to
> encode in that "fingerprint" field other than something encoded in hex.
> One byte?  More?  Sure!
> 
> The RFC doesn't specify a minimum,  named doesn't enforce a two-byte
> minimum - what are we arguing about again?
> 
> Oh yeah... dig doesn't like one byte.
> 
> So... WHY are we arguing about this?

Because we like to have friendly arguments at times.  We could leave this
as is or s/4/3/ and be done (or should that be s/4/2/ :-)).  We could also
teach BIND about what the value 1 and 2 mean and enforce the rdata length
for those values.

> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list