"VerifyHostKeyDNS yes" does not work as expected
Matthew Seaman
matthew at FreeBSD.org
Thu May 15 15:00:32 UTC 2014
On 15/05/2014 09:54, Victor Sudakov wrote:
> Dear Colleagues,
>
> I have "VerifyHostKeyDNS yes" set in ~/.ssh/config. Yet when I
> connect to a host, I get:
>
> $ ssh admin.sibptus.ru
> The authenticity of host 'admin.sibptus.ru (212.73.125.240)' can't be established.
> ECDSA key fingerprint is 83:ca:c0:af:42:5c:35:30:38:d7:78:e3:1d:c9:c2:3e.
> Matching host key fingerprint found in DNS.
> Are you sure you want to continue connecting (yes/no)?
>
> Why does ssh not implicitly trust the key published in DNS? Why does
> it ask me?
>
> The "sibptus.ru" zone is DNSSEC enabled. The local resolver is
> configured with "dnssec-validation auto". What else am I missing?
>
> Thanks for any ideas.
>
> Here is some debug: http://pastebin.com/q12R7RPH
>
Your debug output suggests that ssh doesn't trust the SSHFP results from
DNS -- which would seem to be a problem with DNSSEC on your domain.
Given dnsviz.net confirms DNSSEC on your domain is fine, I guess you
need to look into what your recursive resolver is doing with DNSSEC records.
Also, VerifyHostKeyDNS yes is the default in recent FBSD.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1036 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20140515/a4f50625/attachment.sig>
More information about the freebsd-questions
mailing list