On Fri, Mar 18, 2011 at 07:41:36PM -0700, Rob Leslie wrote:
> When the VerifyHostKeyDNS option is used, ssh attempts to verify unknown
> remote host keys by looking up SSHFP records in DNS. It relies on the AD
> (Authentic Data) flag in the response to determine whether the fingerprint
> it receives has been cryptographically verified by the resolver (i.e. with
> DNSSEC) and if so, may rely on the matching host key with no further
> verification.
Interestingly the default changed from "yes" to "no" at some point.
openssh (1:5.4p1-2) unstable; urgency=low
* Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 is
installed, the host key is published in an SSHFP RR secured with DNSSEC,
and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key
verification (closes: #572049).
[…]
-- Colin Watson <cjwatson@debian.org> Sat, 10 Apr 2010 01:08:59 +0100
And I just had to flip it on manually. The manual page also says that
it's off byd efault.
The problem with authoriative servers not setting AD is also something I
personally experienced and which is quite annoying. But then I agree
that authoriative and recursor should be split nowadays, although it's a
bit hard to do in a home network environment.
Kind regards
Philipp Kern
Attachment:
signature.asc
Description: Digital signature