Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.

Gert Doering gert at greenie.muc.de
Mon Feb 25 19:29:54 AEDT 2019


On Mon, Feb 25, 2019 at 01:51:16AM +0100, Christoph Anton Mitterer wrote:
> Anyone in the tree of the DNS down to the domain with your SSHFP RR has
> the potential power to forge such RR.

This is why you only trust SSHFPs if they are DNSSEC validated.

(Of course the sysadmin who maintains your SSHFP zone entries needs to
be trusted, so you do not want to do this for zones hosted elsewhere)

"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert at greenie.muc.de

More information about the openssh-unix-dev mailing list