From owner-freebsd-bugbusters@FreeBSD.ORG Thu Aug 15 17:28:40 2013 Return-Path: Delivered-To: bugbusters@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id F3A884B3 for ; Thu, 15 Aug 2013 17:28:39 +0000 (UTC) (envelope-from gavin@FreeBSD.org) Received: from mail-gw13.york.ac.uk (mail-gw13.york.ac.uk [144.32.129.163]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id B98912E0C for ; Thu, 15 Aug 2013 17:28:39 +0000 (UTC) Received: from ury.york.ac.uk ([144.32.64.162]:60366) by mail-gw13.york.ac.uk with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1VA1FR-0006lx-Uv; Thu, 15 Aug 2013 18:22:09 +0100 Date: Thu, 15 Aug 2013 18:22:09 +0100 (BST) From: Gavin Atkinson X-X-Sender: gavin@thunderhorn.york.ac.uk To: Ralph Holz Subject: Re: Wrong SSHFP on FreeBSD servers In-Reply-To: <520CDDB5.8080307@net.in.tum.de> Message-ID: References: <520CDDB5.8080307@net.in.tum.de> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="830102327-783095124-1376587329=:88779" Cc: bugbusters@freebsd.org X-BeenThere: freebsd-bugbusters@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Coordination of the Problem Report handling effort." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Aug 2013 17:28:40 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --830102327-783095124-1376587329=:88779 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE On Thu, 15 Aug 2013, Ralph Holz wrote: > Dear FreeBSD team, >=20 > I am not sure if I got the right mail address, but nevertheless: It's not the right email address, but I'll see if I can help - and if=20 not, I'll forward your email on to the right people. > A routine scan of SSH and DNS has marked the following of your domains > as presenting inaccurate SSHFP resource records. Can you confirm this? As far as I can tell, the records are correct. I'd be interested in=20 knowing why you think they are wrong... Just picking the top three from your list: > pkg-master.freebsd.org > ref8-amd64.freebsd.org > admin0.nyi.freebsd.org gavin@freefall:/home/gavin 101% dig sshfp pkg-master.freebsd.org [...] pkg-master.freebsd.org. 2925 IN SSHFP 1 1 F9649EA3087196CEC3E95A3= D57F2D9FE2C2BAA51 pkg-master.freebsd.org. 2925 IN SSHFP 1 2 646A119A9822F1FDBD43CE7= 37B61AED68909CF7A6DB967D34CDDD2DA 4F65FF93 pkg-master.freebsd.org. 2925 IN SSHFP 2 1 7764B5F462C11EA20AF9BA2= 84DC9D64F2FBCED98 pkg-master.freebsd.org. 2925 IN SSHFP 2 2 A6E58FF7F28C17FAFD1AF95= 31FACF8F7C5E03B7FF2D3503731B93BF9 393C2171 pkg-master.freebsd.org. 2925 IN SSHFP 3 1 D2A7DA2E3D1D2C2533544CB= 3BAEC9F8BFDB17010 pkg-master.freebsd.org. 2925 IN SSHFP 3 2 79CB56F5E0693F1A691ABBA= 5A40BB2A0DC3EEC50F24AF82AFB7050AB E7D1AD44 (and logged onto pkg-master.freebsd.org:) > ssh-keygen -r localhost localhost IN SSHFP 1 1 f9649ea3087196cec3e95a3d57f2d9fe2c2baa51 localhost IN SSHFP 1 2 646a119a9822f1fdbd43ce737b61aed68909cf7a6db967d34cdd= d2da4f65ff93 localhost IN SSHFP 2 1 7764b5f462c11ea20af9ba284dc9d64f2fbced98 localhost IN SSHFP 2 2 a6e58ff7f28c17fafd1af9531facf8f7c5e03b7ff2d3503731b9= 3bf9393c2171 localhost IN SSHFP 3 1 d2a7da2e3d1d2c2533544cb3baec9f8bfdb17010 localhost IN SSHFP 3 2 79cb56f5e0693f1a691abba5a40bb2a0dc3eec50f24af82afb70= 50abe7d1ad44 gavin@freefall:/home/gavin 102% dig sshfp ref8-amd64.freebsd.org [...] ;; ANSWER SECTION: ref8-amd64.freebsd.org. 3600 IN SSHFP 1 1 70892BE73E725D8F93F7931= 4FF17B415B7FEFA53 ref8-amd64.freebsd.org. 3600 IN SSHFP 1 2 011C80E6248A613542745BB= 6648FAF7F7798494B9E545AD7FEC1186F 5F89E97C ref8-amd64.freebsd.org. 3600 IN SSHFP 2 1 9B54EB4DAAEFDD5BD757881= F39488DD66727ACAB ref8-amd64.freebsd.org. 3600 IN SSHFP 2 2 58FC35CD7049012DAE97DD7= EC903354156CBE737C76E8C59444EAAB1 A9398906 ref8-amd64.freebsd.org. 3600 IN SSHFP 3 1 739DE449007C61783777EF0= 7024C503071B3849A ref8-amd64.freebsd.org. 3600 IN SSHFP 3 2 EF09E85770695C4C24A3F01= 71457CE72388112DD9236115FF1DE7191 8CD6B10A (and logged onto ref8-amd64.freebsd.org:) 104% ssh-keygen -r localhost localhost IN SSHFP 1 1 70892be73e725d8f93f79314ff17b415b7fefa53 localhost IN SSHFP 1 2 011c80e6248a613542745bb6648faf7f7798494b9e545ad7fec1= 186f5f89e97c localhost IN SSHFP 2 1 9b54eb4daaefdd5bd757881f39488dd66727acab localhost IN SSHFP 2 2 58fc35cd7049012dae97dd7ec903354156cbe737c76e8c59444e= aab1a9398906 localhost IN SSHFP 3 1 739de449007c61783777ef07024c503071b3849a localhost IN SSHFP 3 2 ef09e85770695c4c24a3f0171457ce72388112dd9236115ff1de= 71918cd6b10a gavin@freefall:/home/gavin 103% dig sshfp admin0.nyi.freebsd.org [...] ;; ANSWER SECTION: admin0.nyi.freebsd.org. 3600 IN SSHFP 1 1 623FA95A5F643A5943BF36F= 7719287616492E28B admin0.nyi.freebsd.org. 3600 IN SSHFP 1 2 1059CC96B56DBD2CD23454A= E4F5C74BCD145EF27FE8B06659083F866 8CAB0589 admin0.nyi.freebsd.org. 3600 IN SSHFP 2 1 35944945A1FAA03DD28CF4A= 0E1FBB157EB9F9683 admin0.nyi.freebsd.org. 3600 IN SSHFP 2 2 7B6A17F76E302013F0F7525= 1E7E50650BC9B9E0AE5CB44CE57C07F66 369CE622 admin0.nyi.freebsd.org. 3600 IN SSHFP 3 1 F88889BB1BF296EF887FE16= EBCC00F7CB0687D5D admin0.nyi.freebsd.org. 3600 IN SSHFP 3 2 4F0077E3DEFF1545105C24C= 95B8D128D14235ACA66B4C9E2166CBBBB 63F88AA4 (and logged onto admin0.nyi.freebsd.org:) localhost IN SSHFP 1 1 623fa95a5f643a5943bf36f7719287616492e28b localhost IN SSHFP 1 2 1059cc96b56dbd2cd23454ae4f5c74bcd145ef27fe8b06659083= f8668cab0589 localhost IN SSHFP 2 1 35944945a1faa03dd28cf4a0e1fbb157eb9f9683 localhost IN SSHFP 2 2 7b6a17f76e302013f0f75251e7e50650bc9b9e0ae5cb44ce57c0= 7f66369ce622 localhost IN SSHFP 3 1 f88889bb1bf296ef887fe16ebcc00f7cb0687d5d localhost IN SSHFP 3 2 4f0077e3deff1545105c24c95b8d128d14235aca66b4c9e2166c= bbbb63f88aa4 All three appear to match up. > I don't think it's a serious problem - no one seems to use these RR and > we only found 3 (!) accurate RRs in our database... but still, I thought > you might like to know. Heh. We're actually using SSHFP (and DANE) now quite heavily - at least,= =20 we're trying to publish records for everythign. I have no idea how many=20 users use them, though I suspect if there were issues people would have=20 complained by now. The fact that you have only found three accurate RRs suggests that maybe=20 the issue is at your end. Here's my theory: You're using "ssh-keygen -r",= =20 to generate your data, and misunderstanding exactly what the argument to=20 -r means. Note that the argument to -r is not "show me fingerprints for=20 this host" but "show me fingerprints for the host I'm logged into, with=20 DNS entries suitable for this host". Or, to put it another way (all run=20 from admin0.nyi.freebsd.org): > ssh-keygen -r admin0.nyi.freebsd.org |grep "SSHFP 1 1" admin0.nyi.freebsd.org IN SSHFP 1 1 623fa95a5f643a5943bf36f7719287616492e28= b > ssh-keygen -r ref8-amd64.freebsd.org | grep "SSHFP 1 1" ref8-amd64.freebsd.org IN SSHFP 1 1 623fa95a5f643a5943bf36f7719287616492e28= b > ssh-keygen -r pkg-master.freebsd.org | grep "SSHFP 1 1" pkg-master.freebsd.org IN SSHFP 1 1 623fa95a5f643a5943bf36f7719287616492e28= b i.e. all show the same fingerprint - that of the local machine. Let me=20 further guess: Are the only three accurate RRs in your database those of=20 the machines you are running the tests from? :-) Let me know if you get to the bottom of it, I am interested in the=20 outcome. Thanks, Gavin >=20 > Thanks, > Ralph >=20 > pkg-master.freebsd.org > ref8-amd64.freebsd.org > admin0.nyi.freebsd.org > routerer.freebsd.org > portsmon.freebsd.org > nova.freebsd.org > bake.isc.freebsd.org > admbas1.isc.freebsd.org > package2.nyi.freebsd.org > admbas1.nyi.freebsd.org > vcs.nyi.freebsd.org > admauth0.isc.freebsd.org > repo.freebsd.org > package17.nyi.freebsd.org > admin1.nyi.freebsd.org > igw0.bme.freebsd.org > admin.bme.freebsd.org > package12.nyi.freebsd.org > bgp0-ext.ysv.freebsd.org > ps.isc.freebsd.org > gohan13.freebsd.org > beefy1.isc.freebsd.org > gohan12.freebsd.org > igw1.isc.freebsd.org > package5.nyi.freebsd.org > admauth1.nyi.freebsd.org > admauth1.isc.freebsd.org > gohan61.freebsd.org > ref9-amd64.freebsd.org > vm0.freebsd.org > package11.nyi.freebsd.org > pkg-mirror0.nyi.freebsd.org > repoman2.freebsd.org > admin.isc.freebsd.org > gohan10.freebsd.org > snap.freebsd.org > skunkworks.freebsd.org > mailspool.freebsd.org > bhyve.freebsd.org > stream.freebsd.org > admauth0.nyi.freebsd.org > bbig.ysv.freebsd.org > stench.freebsd.org > package9.nyi.freebsd.org > ref10-amd64.freebsd.org > pb2.nyi.freebsd.org > package13.nyi.freebsd.org > halo.freebsd.org > ref10-i386.freebsd.org > ray.bme.freebsd.org > beefy2.isc.freebsd.org > mailhub.freebsd.org > igw1.bme.freebsd.org > routerer-ext.ysv.freebsd.org > pointyhat-east.nyi.freebsd.org > nbk0.nyi.freebsd.org > pluto.freebsd.org > admbas0.isc.freebsd.org > cook.isc.freebsd.org > worm.freebsd.org > package8.nyi.freebsd.org > ybk.ysv.freebsd.org > bgp0.ysv.freebsd.org > igw0.isc.freebsd.org > svn.freebsd.org > package4.nyi.freebsd.org > flame.freebsd.org > foundation.freebsd.org > freefall.freebsd.org > service2.freebsd.org > fif0.nyi.freebsd.org > package14.nyi.freebsd.org > package3.nyi.freebsd.org > bit-master.freebsd.org > package16.nyi.freebsd.org > igw0.nyi.freebsd.org > portsindexbuild.ysv.freebsd.org > routerest-ext.ysv.freebsd.org > --=20 > Ralph Holz > I8 - Network Architectures and Services > Technische Universit=E4t M=FCnchen > http://www.net.in.tum.de/de/mitarbeiter/holz/ > Phone +49.89.289.18043 > PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF > _______________________________________________ > freebsd-bugbusters@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters > To unsubscribe, send any mail to "freebsd-bugbusters-unsubscribe@freebsd.= org" >=20 --830102327-783095124-1376587329=:88779--