Re: DNSSEC working but SSHFP reported as insecure

[Casey Deccio <casey@deccio.net>]

On Dec 3, 2022, at 8:30 AM, Andre Rodier <andre@rodier.me> wrote:

Where am I making a mistake, please ?

The DNSSEC looks fine.  That is, there is a secure chain from the root to the SSHFP record (see below).

Have you tried adding the VerifyHostKeyDNS=yes option?

ssh -o VerifyHostKeyDNS=yes main.homebox.world

Casey

[1]

$ dnsviz probe -a . -A -R sshfp main.homebox.world | dnsviz print

No global IPv6 connectivity detected
Analyzing .
Analyzing world
Analyzing homebox.world
Analyzing main.homebox.world
. [.]
  [.]  DNSKEY: 8/20326/257 [.], 8/18733/256 [.]
  [.]    RRSIG: ./8/20326 (2022-11-30 - 2022-12-21) [.]
world [.] [.]
  [.]  DS: 8/13081/2 [.]
  [.]    RRSIG: ./8/18733 (2022-12-03 - 2022-12-16) [.]
  [.]  DNSKEY: 8/13081/257 [.], 8/5436/256 [.], 8/60063/256 [.]
  [.]    RRSIG: world/8/13081 (2022-12-01 - 2022-12-22) [.]
homebox.world [.] [.]
  [.]  DS: 13/8704/2 [.], 13/19691/2 [.], 13/45407/2 [.]
  [.]    RRSIG: world/8/5436 (2022-12-02 - 2022-12-23) [.]
  [.]  DNSKEY: 13/19691/257 [.], 13/45407/256 [.], 13/8704/257 [.]
  [.]    RRSIG: homebox.world/13/8704 (2022-11-24 - 2022-12-15) [.]
  [.]    RRSIG: homebox.world/13/19691 (2022-11-24 - 2022-12-15) [.]
main.homebox.world
  [.]  SSHFP: 1 2 7cf3701693baeb8406fd0db7182e01bbadc1f639ba4fc2ca7224116cc9d237dc, 2 1 eb09a2823e9d8a51ef7fe3260e0890a56924da6f, 3 1 142f2a695a2e06cabab6e19800657c3f0b28301d, 4 1 35d346e05d1351a78868e033ebe736c3030d3551, 4 2 052736c5f2e6dce7d41aeeb7f41dbce01d19d2ac9e9ccffab79fb37ab85ce335, 2 2 c3cdd443653530c94c1b90511f3e07ce8fe1fcbbcd60e37729543a577b0a5a44, 3 2 4f6dd59b7c671e9fe3265057aef76bc448aef75a4fce35513c17c62e9bb9c8f6, 1 1 ea89f6c8c8eda5e29e913f4448a816a19624d125
  [.]    RRSIG: homebox.world/13/45407 (2022-11-24 - 2022-12-15) [.]