Hi, This bug is worse than I initially thought - if you're using SSHFP/DNSSEC, and I am evil, then my pretend-server offers the client a certificate, at which point ssh will not check the DNS at all, and simply offer the user the usual "unable to verify" dialogue. Since most users have been trained to hit "yes" blindly at that dialogue, I think this is a more important security problem than I first thought. Regards, Matthew