"VerifyHostKeyDNS yes" does not work as expected
Victor Sudakov
vas at mpeks.tomsk.su
Thu May 15 13:54:09 UTC 2014
Dear Colleagues,
I have "VerifyHostKeyDNS yes" set in ~/.ssh/config. Yet when I
connect to a host, I get:
$ ssh admin.sibptus.ru
The authenticity of host 'admin.sibptus.ru (212.73.125.240)' can't be established.
ECDSA key fingerprint is 83:ca:c0:af:42:5c:35:30:38:d7:78:e3:1d:c9:c2:3e.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?
Why does ssh not implicitly trust the key published in DNS? Why does
it ask me?
The "sibptus.ru" zone is DNSSEC enabled. The local resolver is
configured with "dnssec-validation auto". What else am I missing?
Thanks for any ideas.
Here is some debug: http://pastebin.com/q12R7RPH
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the freebsd-questions
mailing list