ssh sshfp improvement

[Philip Homburg]

Hi,

I'm not sure if this is the right list for this. If it isn't, then please
redirect me to the right one.

I found three issues with how openssh handles SSHFP records:
- If DNSSEC verification fails it displays a (to me) confusing error
  message 'Matching host key fingerprint found in DNS.'
- It trusts resolvers doing DNSSEC validation instead of always doing
  local validation
- It fails to do local validation due to lack of trust anchor.

In any case, ldns, which is used for this feature, is not the right tool
for the job.

So I wrote a patch to use getdns instead. I submitted to patch to the openssh
maintainers, but they don't seem to care.

As far as I know, FreeBSD is the only system that enables SSHFP validation by
default so it makes sense to submit it here as well.

I put my code up on github.
https://github.com/phicoh/openssh-getdns
branch getdns.

Philip