[Pdns-users] SSHFP fingerprint size validation

atanas argirov atanas at argirov.org
Tue Oct 3 16:56:36 UTC 2023


Hello All,

We have found some peculiar behaviour around SSHFP records on ingress via the PowerDNS API or pdnsutil, and before delving deeper, just reaching out here if someone has the answer already. 

Doing API RRSet update for SSHFPs is showing that:

* having malformed SHA256 fingerprint (hash size + 1) yields:

API: 
git.test.net./SSHFP '1 2 e592ce9a630139e02d2b2c482814ec2fd39f1266b43c45cc669d1eb79'

Not in expected format (parsed as '1 2 e592ce9a630139e02d2b2c482814ec2fd39f1266b43c45cc669d1eb790' <- 0 on the end

pdnsutil:

pdnsutil add-record test.net git sshfp 600 "1 2 e592ce9a630139e02d2b2c482814ec2fd39f1266b43c45cc669d1eb79"

New rrset:
git.test.net. 600 IN SSHFP 1 2 e592ce9a630139e02d2b2c482814ec2fd39f1266b43c45cc669d1eb790 <- 0 on the end

* having malformed fingerprint of (hash size - 1) yields the same error with the trailing 0 added:

{"error": "Record sshfp.test.net./SSHFP '1 2 e592ce9a630139e02d2b2c482814ec2fd39f1266b43c45cc669d1eb': Not in expected format (parsed as '1 2 e592ce9a630139e02d2b2c482814ec2fd39f1266b43c45cc669d1eb0')”} <- 0 on the end

pdnsutil add-record test.net sshfp sshfp 600 "1 2 e592ce9a630139e02d2b2c482814ec2fd39f1266b43c45cc669d1eb"
New rrset:
sshfp.test.net. 600 IN SSHFP 1 2 e592ce9a630139e02d2b2c482814ec2fd39f1266b43c45cc669d1eb0 <- trailing zero

* testing malformed fingerprint size of (hash size +/- 2) is accepted with no complaints from both API and pdnsutil

My question is:

* is there any validation on the SSHFP fingerprint size based on the hash type?
* where this trailing zero comes from on hash size of +/- 1?

Best,
Atanas

—

PGP: 0178 A605 C5E5 D207 E940  D109 BACE D962 BA03 327F




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20231003/e3708882/attachment.htm>


More information about the Pdns-users mailing list