Bug 11797 - Support for SSHFP records
Support for SSHFP records
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DNS server
unspecified
All All
: P5 enhancement
: ---
Assigned To: Kai Blin
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-16 12:33 UTC by Sketch
Modified: 2016-03-23 15:52 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sketch 2016-03-16 12:33:10 UTC
Neither the internal DNS server nor bind9_dlz support SSHFP records.  It would be nice if we could get this added to at least one of them.  More info:

https://tools.ietf.org/html/rfc4255

http://unix.stackexchange.com/questions/121880/how-do-i-generate-sshfp-records
Comment 1 Björn Jacke 2016-03-16 15:09:17 UTC
On 2016-03-16 at 12:33 +0000 samba-bugs@samba.org sent off:
> Neither the internal DNS server nor bind9_dlz support SSHFP records.  It would
> be nice if we could get this added to at least one of them.  More info:

can't we support arbitrary DNS record types even if the Name is not known
(yet)?

For example old Bind versions don't know TLSA records like this:

In recent Bind versions you can define TLSA records like that.

_443._tcp.www.example.com.  3600  INT  TLSA  3 0 1 685127ee0c5036ff924d5de86beb02182428126df2a2146650265c1f21c8a3a0

with old Bind versions not knowing about TLSA records, this fails. But you can
add the generic DNS record by giving the TYPE<number> record type instead of
the name:

_443._tcp.www.example.com.  3600  IN  TYPE52  \# 35 030001685127ee0c5036ff924d5de86beb02182428126df2a2146650265c1f21c8a3a0


AFAIKS only a DNS client has to know about the TLSA record name type only to
translate it to the right RR type code. The server just has to accept the
TYPE52 or whatever comes in. The RR type code for the SSHFP RR would be 44.
Comment 2 Sketch 2016-03-22 15:15:33 UTC
I generally use samba-tool to create DNS records.  Doesn't seem like this is possible.

Usage: samba-tool dns add <server> <zone> <name> <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data>

However, I whipped up a script to use nsupdate, and if I try to use a type of SSHFP, it unsuprisingly gives me an error:

named-sdb[1147]: samba_dlz: unsupported record type 'SSHFP' for 'myhost.mydomain.com.'

No problem, I'll just use TYPE44 instead.  I wasn't sure if the \# was required or if that was a TLSA thing, or a typo, but it seems to cause a failure:

update add myhost.mydomain.com 3600 TYPE44 \# 1 1 d3b07384d113edec49eaa6238ad5ff00
invalid rdata format: ran out of space

Without the \#, nsupdate appears to successfully send the data to the DNS server, but again, I can see in the logs that the DNS server identifies it as SSHFP and fails to add it.

update add myhost.mydomain.com 3600 TYPE44 1 1 d3b07384d113edec49eaa6238ad5ff00

named-sdb[1147]: client 10.10.10.54#36590: updating zone 'mydomain.com/NONE': adding an RR at 'myhost.mydomain.com' SSHFP
named-sdb[1147]: samba_dlz: unsupported record type 'SSHFP' for 'myhost.mydomain.com.'
Comment 3 Kai Blin 2016-03-23 08:52:05 UTC
> can't we support arbitrary DNS record types even if the Name is not known
> (yet)?

...

> AFAIKS only a DNS client has to know about the TLSA record name type only to
> translate it to the right RR type code. The server just has to accept the
> TYPE52 or whatever comes in. The RR type code for the SSHFP RR would be 44.

This is not true for our DNS implementations, as we need to translate 
records between the on-wire format to the respective storage format that 
is used in AD.

Basically, please stop comparing Samba DNS against BIND. Compare it 
against the Windows AD DNS server.

While we of course can make up our own way to store things in AD, I'm 
not sure how well Windows AD DNS would deal with those records in a 
hybrid scenario.
Comment 4 Kai Blin 2016-03-23 08:55:33 UTC
That being said, if anybody wants to build this and then see how Windows handles it, I'm happy to review patches.
Comment 5 Sketch 2016-03-23 15:52:03 UTC
It appears that Windows DNS doesn't officially support SSHFP, but it's possible to use nsupdate to add records for it as suggested by Björn, if this is any indication:

http://serverfault.com/questions/675413/sshfp-records-on-windows-dns-server

That said, my domain controllers are all Samba, so I wouldn't care if it broke Windows DNS server compatibility.