On Fri, Mar 18, 2011 at 07:41:36PM -0700, Rob Leslie wrote: > When the VerifyHostKeyDNS option is used, ssh attempts to verify unknown > remote host keys by looking up SSHFP records in DNS. It relies on the AD > (Authentic Data) flag in the response to determine whether the fingerprint > it receives has been cryptographically verified by the resolver (i.e. with > DNSSEC) and if so, may rely on the matching host key with no further > verification. Interestingly the default changed from "yes" to "no" at some point. openssh (1:5.4p1-2) unstable; urgency=low * Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 is installed, the host key is published in an SSHFP RR secured with DNSSEC, and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key verification (closes: #572049). […] -- Colin Watson <cjwatson@debian.org> Sat, 10 Apr 2010 01:08:59 +0100 And I just had to flip it on manually. The manual page also says that it's off byd efault. The problem with authoriative servers not setting AD is also something I personally experienced and which is quite annoying. But then I agree that authoriative and recursor should be split nowadays, although it's a bit hard to do in a home network environment. Kind regards Philipp Kern
Attachment:
signature.asc
Description: Digital signature