HostKey checking and DNS finger print verification

Darren Tucker dtucker at
Thu Mar 23 21:00:43 EST 2006

Senthil Kumar wrote:
> I have a client-server setup with about 100 nodes. We often install the OS 
> and this results in change of host keys in our server. This necessiates the 
> need to update all known_hosts files in the client machines. Im using the 
> VerifyHostKeyDNS option in the client side where the DNS is updated with new 
> finger print each time we change the host key. But still the SSH client 
> verifies its known_hosts file even the DNS finger print matches.
> Is there any way to overcome clients local database checking if DNS finger 
> print matches? What are the security issues associated with this way?

If your DNS is trusted (ie DNSSEC) then the fingerprints will be trusted
too.  Otherwise the DNS results are used as an additional check but are
not trusted.

If practical you could also save and restore the host keys during a rebuild.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list