Re: DNSSEC working but SSHFP reported as insecure
On Sat, 2022-12-03 at 12:09 -0700, Casey Deccio wrote:
>
> > On Dec 3, 2022, at 9:22 AM, Andre Rodier <andre@rodier.me> wrote:
> >
> > > ssh -o VerifyHostKeyDNS=yes main.homebox.world
> >
> > Yes, this is the default option in my ssh/config file.
> >
> > I tried on the command line as well, but same result:
>
> It could be that your default DNS resolver is not validating. ssh simply looks at the result of the DNSSEC validation
> provided by your default resolver [1], so if it's not validating then you will never get "secure". In the example in
> your original post, you queried 1.1.1.1, which is a validating resolver. But your default resolver might yield
> different results. To test, do the following:
>
> $ dig +dnssec main.homebox.world sshfp
>
> And look for the presence of the "ad" (authenticated data) flag in the response.
>
> Casey
>
> [1] https://github.com/openssh/openssh-portable/blob/master/dns.c#L230
Thanks for your suggestion.
I was already using 1.1.1.1 in /etc/resolv.conf, when I had the issue.
I am running Debian Bullseye.
Kind regards,
André
Reply to: