Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
Gert Doering
gert at greenie.muc.de
Mon Feb 25 19:29:54 AEDT 2019
Hi,
On Mon, Feb 25, 2019 at 01:51:16AM +0100, Christoph Anton Mitterer wrote:
> Anyone in the tree of the DNS down to the domain with your SSHFP RR has
> the potential power to forge such RR.
This is why you only trust SSHFPs if they are DNSSEC validated.
(Of course the sysadmin who maintains your SSHFP zone entries needs to
be trusted, so you do not want to do this for zones hosted elsewhere)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany gert at greenie.muc.de
More information about the openssh-unix-dev
mailing list