"VerifyHostKeyDNS yes" does not work as expected

Victor Sudakov vas at mpeks.tomsk.su
Thu Jun 12 05:45:57 UTC 2014

Victor Sudakov wrote:
> I have "VerifyHostKeyDNS yes" set in ~/.ssh/config. Yet when I
> connect to a host, I get:

If anyone has DNSSEC enabled in their resolver, could you please try
and ssh to noc.sibptus.ru and report if your ssh client trusts the host
keys in DNS?

Please report your OS version too.

> Why does ssh not implicitly trust the key published in DNS? Why does
> it ask me?
> The "sibptus.ru" zone is DNSSEC enabled. The local resolver is
> configured with "dnssec-validation auto". What else am I missing?

Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru

More information about the freebsd-questions mailing list