SSHFP observation
Lee
ler762 at gmail.com
Thu Jan 31 23:44:37 UTC 2019
On 1/31/19, Alan Clegg <alan at clegg.com> wrote:
> On 1/31/19 4:57 PM, Mark Andrews wrote:
>
>> Given type 1 is a SHA-1 fingerprint it isn’t legal. Named just
>> hasn’t added type to length to the parsing code.
>>
>> No real SSHFP will be 1 octet long.
>
> While I agree that it's junk, the RFC doesn't give the DNS software the
> ability to make that decision from my reading.
>
> There is nothing in the RFC about validating the correctness of the data:
I'm not following your logic. The RFC says a field is the fingerprint
and the user supplied data can't possibly be a fingerprint. It seems
to me there's a requirement to reject the user supplied data since it
can't possibly be a fingerprint.
Regards,
Lee
>
> --
> The RDATA of the presentation format of the SSHFP resource record
> consists of two numbers (algorithm and fingerprint type) followed by
> the fingerprint itself, presented in hex, e.g.:
>
> host.example. SSHFP 2 1 123456789abcdef67890123456789abcdef67890
> --
>
> AlanC
More information about the bind-users
mailing list