Re: DNSSEC working but SSHFP reported as insecure

To: John Scott <jscott@posteo.net>, debian-user@lists.debian.org
Subject: Re: DNSSEC working but SSHFP reported as insecure
From: Andre Rodier <andre@rodier.me>
Date: Sat, 03 Dec 2022 15:57:21 +0000
Message-id: <[🔎] baa8f62a7ba9057f7f84634ed36e5cc65340d9b6.camel@rodier.me>
In-reply-to: <[🔎] 9e0f80bbfc3562bc77b7bc3804622a1b227b7759.camel@posteo.net>
References: <[🔎] 4a18c984199951a663af7b061164a1d008cb8c13.camel@rodier.me> <[🔎] 9e0f80bbfc3562bc77b7bc3804622a1b227b7759.camel@posteo.net>

On Sat, 2022-12-03 at 15:48 +0000, John Scott wrote:
> > Where am I making a mistake, please ?
> 
> I think I know the problem. On the client machine, by default glibc
> doesn't indicate to applications that DNS records were signed via
> DNSSEC. This is because, how is glibc to know whether the DNS servers
> it's getting its records from is supposed to be considered
> trustworthy? It might be some DNS server set up by your ISP or
> something, and you might not want to place your full trust in them.
> 
> I believe your server is configured correctly. However, in order for
> GNU/Linux clients to take advantage of DNSSEC, they typically need to
> run validating DNS resolvers locally that can be trusted, AND set a
> glibc option in /etc/resolv.conf letting glibc know that the
> signatures can be trusted.
> 
> I'm not a DNS aficionado, so someone please correct me if I got the
> details wrong

Thanks, John,

I am following this clue.

Kind regards,
André

Reply to:

References:
- DNSSEC working but SSHFP reported as insecure
  - From: Andre Rodier <andre@rodier.me>
- Re: DNSSEC working but SSHFP reported as insecure
  - From: John Scott <jscott@posteo.net>

Prev by Date: Re: DNSSEC working but SSHFP reported as insecure
Next by Date: Re: Touchpad synaptics changes name after resume
Previous by thread: Re: DNSSEC working but SSHFP reported as insecure
Next by thread: Re: DNSSEC working but SSHFP reported as insecure
Index(es):
- Date
- Thread