avoiding 'authenticity' prompt
Damien Miller
djm at mindrot.org
Sun Nov 14 21:03:03 EST 2004
Dan Kaminsky wrote:
> And of course, all these options can be thrown in /etc/ssh_config .
>
> What's the present status of putting SSH host keys in DNS, btw? Anyone
> know?
Dan, you should know how to read manpages and use google better
than most :)
The RR type is assigned and support has been in OpenSSH since
3.7p1 (IIRC). Bind 9 has had support for the RR type for quite a
while too. For full support you really need DNSSEC, though results
will be displayed without it.
ssh-keygen can convert from host pubkeys into SSHFP records using the
-r option. "dig baragon.mindrot.org any" for an example. Checking is
enabled using the "VerifyHostKeyDNS" ssh option. See README.DNS for
details.
It works well in practice using my DNSSEC test domain.
-d
More information about the openssh-unix-dev
mailing list