Re: crypto-keys and cmdinfo

[Anil Madhavapeddy <anil@xxxxxxxxxx>]

On 21 Sep 2012, at 02:33, Haris Rotsos <cr409@xxxxxxxxxxxx> wrote:

> 
> Haris, I've got the DNSSEC-to-SSH converter working, but it looks you are 
> currently resolving DS records directly into SSH public keys, right?  Should 
> we also look for the SSHFP and use those in preference to DS, if specified?
> 
> yes I haven't yet looked that kind of record, but it is a big isue to 
> incorporate them. The main issue there is the dns library that needs to add 
> the parsing capability, and the rest should be straightforward. 

s/is a big/isnt a big I presume :) I'll take a look at SSHFP next week (should 
be very easy, and it's probably better to derive a specific SSHFP key than to 
use the DS directly).

> By the way, with this library I had a problem to use it as a library in 
> signpost. If I used the library the program would segfault and debugging 
> didn't gave me a progammatic reason. As a result, I was the command line tool 
> to generate keys. My conlusion was that the problem had something to do with 
> the c-ocaml binding with the ssl library.  I need to try it again now, as I 
> am thinking that this might be some bad memory handling code in c. 

That's very likely; those RSA bindings do need to be deleted before a release 
since they are cut-and-pasted from an AGPL3 project (and so really cannot be 
linked in).  I implemented something similar in the SSH library from years 
past, so I'll fix it up on the next pass.

The swiss-army-knife command is really very useful though; good job on hacking 
that together!

-anil