HEADS UP: OpenSSH with DNSSEC support in 10
Dag-Erling Smørgrav
des at des.no
Wed Sep 11 15:00:45 UTC 2013
OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you
disable LDNS in src.conf. If DNSSEC is enabled, the default setting for
VerifyHostKeyDNS is "yes". This means that OpenSSH will silently trust
DNSSEC-signed SSHFP records. I consider this a lesser evil than "ask"
(aka "train the user to type 'yes' and hit enter") and "no" (aka "train
the user to type 'yes' and hit enter without even the benefit of a
second opinion").
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list