Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.

Peter Stuge peter at stuge.se
Sun Feb 24 06:15:35 AEDT 2019

Yegor Ievlev wrote:
> > I think it's a very bad idea to have the client start treating foreign
> > network input as equivalent to local configuration.
> Well, SSHFP is supposed to only be used on DNSSEC-enabled domains.

To the client it's still foreign input, even though it's signed by
(best case) the remote site DNS administrator.


More information about the openssh-unix-dev mailing list