summary: Support for host key fingerprints in DNS class: wish: This is a request for an enhancement. difficulty: tricky: Needs many tuits. priority: low: We aren't sure whether to fix this or not.
We occasionally get requests to support reading SSH host key
fingerprints from the DNS, as defined by
RFC 4255.
To implement this, there are two major things to be dealt with:
Since the SSHFP DNS records are a type of record not natively
supported by operating systems' resolvers, we'd firstly need access to
the resolver at a level permitting us to query for SSHFP and parse the
returned records directly (since I very much doubt we'd want to
implement an entire resolver ourselves).
At least some operating systems provide some suitable facilities:
OpenSSH (for Unix), for example, uses a function called
getrrsetbyname(), which appears to exist natively on
OpenBSD,
and can perhaps also be provided by BIND9;
Portable OpenSSH also has a local version of this function based
on the slightly lower-level res_query() in -lresolv,
which is claimed to come from 4.3BSD and exists on at least Linux,
NetBSD, and Solaris, so may be a better bet;
Similarly, recent versions of Windows (from 2000) provide
DnsQuery(), which appears to be at the right level.
More importantly, the RFC expects that the records should be
accompanied by trusted DNSSEC signatures. Many common operating
systems don't obviously appear to provide DNSSEC facilities to clients
(although OpenBSD getrrsetbyname() claims to), and I don't
think we'd want to attempt to implement the whole of DNSSEC signature
verification in PuTTY.
If we can't trust the SSHFP records not to have been tampered with,
they could only ever be used as a hint; for instance, to bring up a
"host key has changed" dialog, or to mention in the "new host key"
dialog. We wouldn't automatically accept a connection to an unknown
host solely on the basis of an untrusted SSHFP record. (In fact, we
might have to have use of DNS fingerprints off by default, to avoid
the possible nuisance value of getting "host key changed" prompts
based on DNS.)
Even if the OS did indicate that it had verified a DNSSEC signature, I
think we'd want the decision of whether PuTTY trusted that
signature to be configurable.
All in all, on the platforms we support, what we could easily
implement may not be useful enough to be worth the effort.
If you want to comment on this web site, see the
Feedback page.