Re: ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)

To: "openssh-unix-dev%mindrot.org@localhost" <openssh-unix-dev%mindrot.org@localhost>
Subject: Re: ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)
From: "Mark D. Baushke" <mdb%juniper.net@localhost>
Date: Tue, 22 Nov 2011 22:06:45 -0800

Hi Daniel,

Daniel Kahn Gillmor <dkg%fifthhorseman.net@localhost> writes:

> hi folks:
> 
> it looks like ssh-keygen -r can't export SSHFP records for ECDSA keys:
> 
> 0 dkg@pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -f foobar -t ecdsa -q -P ''
> 0 dkg@pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -r foobar -f foobar.pub
> export_dns_rr: unsupported algorithm
> 0 dkg@pip:/tmp/cdtemp.oiRYAS$
> 
> the first number in my prompt is the return code of the last command;
> note that ssh-keygen -r fails to produce an SSHFP DNS RR, but it returns 0.
> 
> at the least, it should return non-zero on failure.
> 
> 
> I note that the relevant RFC doesn't include an enumeration for ECDSA:
> 
>  https://tools.ietf.org/html/rfc4255#section-3.1.1
> 
> Could anyone on this list kick off the IETF process for allocating a new
> ID in that registry for ECDSA?  I'm not currently involved in the IETF's
> Network Working Group so i don't really know the political landscape there.

I believe that the SSH development community will need to support this
effort:

  http://tools.ietf.org/html/draft-os-ietf-sshfp-ecdsa-sha2-00

which specifies values for both the ECDSA algorithm and a SHA-256
fingerprint algorithm.

RFC 4255 enumerates the RSA and DSS algorithms and the SHA-1 fingerprint
type.

draft-os-ietf-sshfp-ecdsa-sha2-00 authored by O. Sury has a typo in the
draft suggesting that they update RFC 4225 which is wrong, but it seems
to be a simple typo as the body of the draft referecnes RFC 4255.

However, it does add ECDSA to the SSHFP RR types and SHA-256 to the
fingerprint types.

The draft expires on Dec 18, 2011.

This draft was sent to saag%ietf.org@localhost and the author also wrote a patch
for OpenSSH (portable) in

https://git.nic.cz/redmine/projects/ietf/repository/revisions/master/entry/ssh-sshfp-ecdsa.patch

See the message thread here:

  http://www.ietf.org/mail-archive/web/saag/current/msg03326.html
  http://www.ietf.org/mail-archive/web/saag/current/msg03327.html

Stephen Farrell <stephen.farrell%cs.tcd.ie@localhost> says that the author is
asking the AD to sponsor the work. And Warren Kumari <warren%kumari.net@localhost>
has added his support.

This seems like something that should be raised on the
ietf-ssh%NetBSD.org@localhost list with a CC to saag%ietf.org@localhost, so
I have added these to lists to my response to this message.

For the record, my vote is +1 for this draft.

	-- Mark

Follow-Ups:
- Re: [saag] ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)
  - From: Stephen Farrell

Prev by Date: fwd: New Version Notification for draft-dbider-sha2-mac-for-ssh-04.txt
Next by Date: Re: [saag] ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)
Previous by Thread: fwd: New Version Notification for draft-dbider-sha2-mac-for-ssh-04.txt
Next by Thread: Re: [saag] ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)
Indexes:

Home | Main Index | Thread Index | Old Index