ssh -o VerifyHostKeyDNS=yes main.homebox.world
Yes, this is the default option in my ssh/config file.I tried on the command line as well, but same result:
It could be that your default DNS resolver is not validating. ssh simply looks at the result of the DNSSEC validation provided by your default resolver [1], so if it's not validating then you will never get "secure". In the example in your original post, you queried 1.1.1.1, which is a validating resolver. But your default resolver might yield different results. To test, do the following:
$ dig +dnssec main.homebox.world sshfp
And look for the presence of the "ad" (authenticated data) flag in the response.
Casey
|