OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you disable LDNS in src.conf. If DNSSEC is enabled, the default setting for VerifyHostKeyDNS is "yes". This means that OpenSSH will silently trust DNSSEC-signed SSHFP records. I consider this a lesser evil than "ask" (aka "train the user to type 'yes' and hit enter") and "no" (aka "train the user to type 'yes' and hit enter without even the benefit of a second opinion"). DES -- Dag-Erling Smørgrav - des_at_des.noReceived on Wed Sep 11 2013 - 13:00:45 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:41 UTC