I've experimented with DNSSEC and SSHFP ecdsa key, plus unbound as local validating dns resolver (dig spot.xmw.de reports the AD flag). --with-ldns is required for ssh to see these records as secure ssh -v spot.xmw.de ... debug1: found 6 secure fingerprints in DNS ... it's otherwise ... debug1: found 6 insecure fingerprints in DNS ... my quick workaround was emerge -av1 net-libs/ldns EXTRA_ECONF="--with-ldns" ebuild /usr/portage/net-misc/openssh/openssh-6.1_p1.ebuild manifest install qmerge maybe you can add an use flag for that, there is no specific for *dnssec* stuff, imho. thank you
InCVS as of 6.1_p1-r1
I have the "ldns" USE flag disabled, but the ebuild still pulls in net-libs/ldns.
(In reply to comment #2) > I have the "ldns" USE flag disabled, but the ebuild still pulls in > net-libs/ldns. Reported as bug 452772 by Lars. Reopen because the ldns[ssl] dependency triggers ldns[ecdsa] (ecdsa defaults to on) which to configure with openssl[bindist] (bindist defaults to on) See bug 452770 and my comment https://bugs.gentoo.org/show_bug.cgi?id=452770#c3 for details. I strongly suggest to depend on "ldns? ( ldns[ecdsa] )", to aid ECDSA deployment.
this breaks stages builds, ldns pulled even with ldns? and failing to build due to ecdsa configure: error: OpenSSL does not support ECDSA: please upgrade OpenSSL or rerun with --disable-ecdsa
(In reply to comment #3) > (In reply to comment #2) > > I have the "ldns" USE flag disabled, but the ebuild still pulls in > > net-libs/ldns. > Reported as bug 452772 by Lars. That part is fixed already. > Reopen because the ldns[ssl] dependency triggers ldns[ecdsa] (ecdsa defaults > to on) which to configure with openssl[bindist] (bindist defaults to on) > See bug 452770 and my comment > https://bugs.gentoo.org/show_bug.cgi?id=452770#c3 > for details. > > I strongly suggest to depend on "ldns? ( ldns[ecdsa] )", to aid ECDSA > deployment. How about this for dealing with stage building: ldns? ( !bindist? ( net-libs/ldns[ecdsa,ssl] ) bindist? ( net-libs/ldns[-ecdsa,ssl] ) )
(In reply to comment #5) > How about this for dealing with stage building: > ldns? ( > !bindist? ( net-libs/ldns[ecdsa,ssl] ) > bindist? ( net-libs/ldns[-ecdsa,ssl] ) > ) fine. I asume stage3 tarballs qualify for binary distribution. stupid laws.
comment #5 implemented in CVS.
Really sorry to repoen this again, but after the recent ldns update, openssh needs an update to. Otherwise it'd crash like michael@lore ~ % ssh root@::1 ssh: symbol lookup error: ssh: undefined symbol: strlcpy michael@x ~ % ssh lore ssh_exchange_identification: Connection closed by remote host even on the running instance from before the update.
(In reply to comment #8) > but after the recent ldns update, openssh needs an update to. > Otherwise it'd crash like revdep-rebuild --ignore -- -av doesn't get it
(In reply to comment #9) > (In reply to comment #8) > > but after the recent ldns update, openssh needs an update to. > > Otherwise it'd crash like > > revdep-rebuild --ignore -- -av doesn't get it or @preserved-rebuilds ;-)
that isn't a bug in openssh. file a bug for ldns.
