OpenSSH 4.5 (and probably later and earlier versions) has an issue
in their DNS lookup code that prevents it from using DNSSEC.
getrrsetbyname.c enables DNSSEC if the edns0 option is set (usually this
would be set in the options line of /etc/resolv.conf), but because it
redefines _res to be a variable local to the program, it never notices
that it's set, and thus never enables DNSSEC.

Because of this, even if you are retrieving SSHFP keys from a zone
that your resolving server trusts, ssh will not get a response with
the "ad" (authenticated data) flag set, and will thus decide that the
fingerprints are untrusted. (Well, actually, if your server is receiving
TSIG-signed replies from a server that does trust the zone, the ad flag
will be set, just in case you're trying to examine this and you run into
that.)

I posted about this to the openssh development list a few days ago, but
received no response, so I filed a bug report and applied the appended
patch to our pkgsrc openssh.

So the problem is fixed in pkgsrc. My question is, should I be fixing it
in src as well, and asking for a pullup in the 4-branch?

cjs
-- 
Curt Sampson            <cjs@cynic.net>             +81 90 7737 2974
   The power of accurate observation is commonly called cynicism
   by those who have not got it.    --George Bernard Shaw



$NetBSD: patch-ax,v 1.3 2007/03/16 05:46:07 cjs Exp $

# http://bugzilla.mindrot.org/show_bug.cgi?id=1299

--- openbsd-compat/getrrsetbyname.c.orig	2006-09-02 14:32:40.000000000 +0900
+++ openbsd-compat/getrrsetbyname.c	2007-03-16 14:07:32.000000000 +0900
@@ -67,14 +67,6 @@
  #endif
  #define _THREAD_PRIVATE(a,b,c) (c)

-/* to avoid conflicts where a platform already has _res */
-#ifdef _res
-# undef _res
-#endif
-#define _res	_compat_res
-
-struct __res_state _res;
-
  /* Necessary functions and macros */

  /*