Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.

Yegor Ievlev koops1997 at gmail.com
Mon Feb 25 12:18:32 AEDT 2019

Well, the most likely entity who can do that is your registrar, since
it can change your nameservers and DS records.

On Mon, Feb 25, 2019 at 3:51 AM Christoph Anton Mitterer
<calestyo at scientia.net> wrote:
> On Sat, 2019-02-23 at 22:23 +0300, Yegor Ievlev wrote:
> > Well, known_hosts isn't exactly trusted input, since it's usually
> > composed of the keys you first encounter
> If someone accepts keys without checking them, he cannot be helped.
> >  without any additional
> > checking, as opposed to (hopefully) correctly signed SSHFP records.
> In fact, SSHFP is far less trustworthy, than properly exchanged host
> keys (respectively fingerprints).
> Anyone in the tree of the DNS down to the domain with your SSHFP RR has
> the potential power to forge such RR.
> C.

More information about the openssh-unix-dev mailing list