Re: ssh and named/bind

9 Mar 2023

      On 3/8/23 18:49, Bob Rogers wrote:
...
From: Marc Chamberlin <marc@marcchamberlin.com>
    Date: Wed, 8 Mar 2023 14:04:48 -0800
Hello - I am running an OpenSuSE 15.3 x64 system where I am also running
    a NAMED server for my network.
> quasar:/etc/named.d # named -v
    > BIND 9.16.6 (Stable Release) <id:25846cf>
    > quasar:/etc/named.d # ssh -V
    > OpenSSH_8.4p1, OpenSSL 1.1.1d  10 Sep 2019
    Apparently recently something has changed which is now breaking SSH's
    ability to connect to a URL with upper case letters in the host name. (I
    connect and use SSH within a port knocking script which has worked for
    many years, so I know it is not caused by something I am doing, but by a
    change that has occurred within either SSH or NAMED.) Internet and
    Googling searches seem to imply that Bind (NAMED) is now resolving URL's
    in a case sensitive fashion. https://kb.isc.org/docs/aa-01113 and I
    suspect this change has just now caught up with me.
But, I don't know if the fault lies entirely with Bind/NAMED. SSH
    appears to be mangling URLs, changing upper case letters within a URL,
    to lower case before asking a name server to resolve them. (IMHO this is
    extremely bad behavior on SSH's part because it is destroying user
    supplied data, something a program should never do!) Here is an example
    of what I am seeing that leads me to this conclusion -
> ssh marc@darkstarINT.mydomain.com
    > ssh: connect to host darkstarint.mydomain.com port 22: No route to host
Notice SSH changed the upper case "INT" in the host name "darkstarINT"
    to a lower case "int" in the query. I checked the log file at
    /var/log/named/named and indeed saw the query  for the URL, from SSH,
    was all lower case. The message "No route to host" is misleading
    (probably because of bad error handling) and just means SSH was unable
    to get an IP address from the DNS server for the URL host name, that it
    mangled.
Since Day 1, DNS has been case-insensitive, and as far as I know, the
ssh client has always made its DNS queries in lowercase, so I don't
think DNS is your problem.  Try doing
ssh -vvv marc@darkstarINT.mydomain.com
and tell us what ssh says.
-- Bob Rogers
      			   http://www.rgrjr.com/
Totally agree with your comments about DNS and SSH, and I said as much, 
but something did break my scripts suddenly. Internet searches imply 
that DNS/Bind/Named are going towards using case-sensitive compression 
and I am wondering if this change finally caught up with me and what to 
do about it. Read the document at isc.org which I provided a link to. 
Maybe I do have a configuration error in the configuration files for my 
DNS server and I will continue to look into it. Here is the output I got 
from trying to use ssh with 3 v's used to increase the debugging messages...
...
ssh -vvv marc@darkstarINT.mydomain.com
OpenSSH_8.4p1, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> 
'/root/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> 
'/root/.ssh/known_hosts2'
debug2: resolving "darkstarint.mydomain.com" port 22
ssh: Could not resolve hostname darkstarint.mydomain.com: Name or 
service not known
I don't see anything helpful but maybe your eyes are better than 
mine...  Any more good ideas? Thank you,  Marc...
-- 

*"The Truth is out there" - Spooky*

*_   _   .   .   .       .   .   .   _ _       .   _   _   _   _   .     
   .   .   .           _   .   .       .           .   _   _       .   _ 
       _ _   .   .   .       .   _   _   .       _   .   .   _   .   _   
_           _   _       .   _       .   _   .     _   .   _   . *

Computers: the final frontier.
These are the voyages of the user Marc.
His mission: to explore strange new hardware.
To seek out new software and new applications.
To boldly go where no Marc has gone before!

(/This email is digitally signed and the OpenPGP electronic signature is 
added as an attachment. If you know how, you can use my public key to 
prove this email indeed came from me and has not been modified in 
transit. My public key, which can be used for sending encrypted email to 
me also, can be found at - 
https://keys.openpgp.org/search?q=marc@marcchamberlin.com or just ask me 
for it and I will send it to you as an attachment. If you don't 
understand all this geek speak, no worries, just ignore this explanation 
and ignore the OpenPGP signature key attached to this email (it will 
look like gibberish if you open it) and/or ask me to explain it further 
if you like./)