"VerifyHostKeyDNS yes" does not work as expected

Victor Sudakov vas at mpeks.tomsk.su
Fri May 16 16:53:30 UTC 2014

Matthew Seaman wrote:
> > 
> > I have "VerifyHostKeyDNS yes" set in ~/.ssh/config. Yet when I
> > connect to a host, I get:
> > 
> > $ ssh admin.sibptus.ru
> > The authenticity of host 'admin.sibptus.ru (' can't be established.
> > ECDSA key fingerprint is 83:ca:c0:af:42:5c:35:30:38:d7:78:e3:1d:c9:c2:3e.
> > Matching host key fingerprint found in DNS.
> > Are you sure you want to continue connecting (yes/no)? 
> > 
> > Why does ssh not implicitly trust the key published in DNS? Why does
> > it ask me?
> > 
> > The "sibptus.ru" zone is DNSSEC enabled. The local resolver is
> > configured with "dnssec-validation auto". What else am I missing?
> > 
> > Thanks for any ideas.
> > 
> > Here is some debug: http://pastebin.com/q12R7RPH
> > 
> Your debug output suggests that ssh doesn't trust the SSHFP results from
> DNS -- which would seem to be a problem with DNSSEC on your domain.
> Given dnsviz.net confirms DNSSEC on your domain is fine, 

So does http://dnssec-debugger.verisignlabs.com/sibptus.ru

> I guess you need to look into what your recursive resolver is doing
> with DNSSEC records.

Well, the output of "dig admin.sibptus.ru" has the ad flag, does it
not mean that the DNS reply is authenticated ?

I have also information from my friends running Linux that they are
able to connect to admin.sibptus.ru without ssh asking to save the key
in ~/.ssh/known_hosts, so the server side is probably working.

Is there anything the matter with the FreeBSD ssh client ? I have
tested on FreeBSD 9.2-STABLE.

Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru

More information about the freebsd-questions mailing list