auto-accept keys matching DNSSEC-validated SSHFP records

Alex Bligh alex at
Thu Jul 21 03:41:53 EST 2011

--On 20 July 2011 12:47:03 -0400 Robert Story <rstory at> wrote:

> 3) ssh to same host after SSHFP record updated and re-signed
> $ ./ssh bishop
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> Howerver, a matching host key, validated by DNSSEC, was found.
> The fingerprint for the RSA key sent by the remote host is
> 1a:48:3f:2c:54:29:60:c4:86:b9:78:bd:e9:64:1f:8d.
> Please contact your system administrator.
> Add correct host key in /home/rstory/.ssh/known_hosts to get rid of this
> message. Offending key in /home/rstory/.ssh/known_hosts:69
> The authenticity of host 'bishop.vb (' was  validated via
> DNSSEC. Warning: Permanently added 'bishop.vb' (RSA) to the list of known
> hosts.

I think the functionality I'd want here (I appreciate other people
might differ) is no warning here.

But the text of this warning is really confusing. Firstly it says
"Add correct host key in /home/rstory/.ssh/known_hosts to get rid of this
message.", then tells you (I think) that it has done just that. It
should either be telling you that you need to do it (and not completing
the connection), or not warning and completing the connection, I think.

Alex Bligh

More information about the openssh-unix-dev mailing list