Hello, all. I have implemented DNSSEC successfully (apparently) on a test box (using PowerDNS, btw). We can see the test here:
https://dnssec-debugger.verisignlabs.com/homebox.world I have set my SSHFP records correctly (I think): > dig +dnssec -t SSHFP main.homebox.world @1.1.1.1 > ; <<>> DiG 9.18.8-1~bpo11+1-Debian <<>> +dnssec -t SSHFP > main.homebox.world @1.1.1.1 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26002 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: > 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1232 > ;; QUESTION SECTION: > ;main.homebox.world. IN SSHFP > > ;; ANSWER SECTION: > main.homebox.world. 3600 IN SSHFP 1 1 > EA89F6C8C8EDA5E29E913F4448A816A19624D125 > main.homebox.world. 3600 IN SSHFP 1 2 > 7CF3701693BAEB8406FD0DB7182E01BBADC1F639BA4FC2CA7224116C C9D237DC > main.homebox.world. 3600 IN SSHFP 2 1 > EB09A2823E9D8A51EF7FE3260E0890A56924DA6F > main.homebox.world. 3600 IN SSHFP 2 2 > C3CDD443653530C94C1B90511F3E07CE8FE1FCBBCD60E37729543A57 7B0A5A44 > main.homebox.world. 3600 IN SSHFP 3 1 > 142F2A695A2E06CABAB6E19800657C3F0B28301D > main.homebox.world. 3600 IN SSHFP 3 2 > 4F6DD59B7C671E9FE3265057AEF76BC448AEF75A4FCE35513C17C62E 9BB9C8F6 > main.homebox.world. 3600 IN SSHFP 4 1 > 35D346E05D1351A78868E033EBE736C3030D3551 > main.homebox.world. 3600 IN SSHFP 4 2 > 052736C5F2E6DCE7D41AEEB7F41DBCE01D19D2AC9E9CCFFAB79FB37A B85CE335 > main.homebox.world. 3600 IN RRSIG SSHFP 13 3 3600 > 20221215000000 20221124000000 45407 homebox.world. > t30IX78PNMQLWy7g/3Xs8JvEgcwK6dEnxk7MtJZ9Iqk6ATKfZ32u0uPu > nYw8Hi+bkU45qcQ+9gl5iWCOrd3VVA== > > ;; Query time: 52 msec > ;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP) > ;; WHEN: Sat Dec 03 15:28:26 GMT 2022 > ;; MSG SIZE rcvd: 476 However, when I connect using SSH, the client complains the keys are insecure: > OpenSSH_8.4p1 Debian-5+deb11u1, OpenSSL 1.1.1n 15 Mar 2022 > debug1: Reading configuration data /home/andre/.ssh/config > debug1: /home/andre/.ssh/config line 21: Applying options for > main.homebox.world > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: /etc/ssh/ssh_config line 19: include > /etc/ssh/ssh_config.d/*.conf matched no files > debug1: /etc/ssh/ssh_config line 21: Applying options for * > debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> > '/home/andre/.ssh/known_hosts' > debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> > '/home/andre/.ssh/known_hosts2' > debug2: resolving "main.homebox.world" port 22 > debug2: ssh_connect_direct > debug1: Connecting to main.homebox.world [78.141.231.71] port 22. > debug1: Connection established. > debug1: identity file /home/andre/.ssh/id_rsa type 0 > debug1: identity file /home/andre/.ssh/id_rsa-cert type -1 > debug1: identity file /home/andre/.ssh/id_dsa type -1 > debug1: identity file /home/andre/.ssh/id_dsa-cert type -1 > debug1: identity file /home/andre/.ssh/id_ecdsa type -1 > debug1: identity file /home/andre/.ssh/id_ecdsa-cert type -1 > debug1: identity file /home/andre/.ssh/id_ecdsa_sk type -1 > debug1: identity file /home/andre/.ssh/id_ecdsa_sk-cert type -1 > debug1: identity file /home/andre/.ssh/id_ed25519 type -1 > debug1: identity file /home/andre/.ssh/id_ed25519-cert type -1 > debug1: identity file /home/andre/.ssh/id_ed25519_sk type -1 > debug1: identity file /home/andre/.ssh/id_ed25519_sk-cert type -1 > debug1: identity file /home/andre/.ssh/id_xmss type -1 > debug1: identity file /home/andre/.ssh/id_xmss-cert type -1 > debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1 > debug1: Remote protocol version 2.0, remote software version > OpenSSH_8.4p1 Debian-5+deb11u1 > debug1: match: OpenSSH_8.4p1 Debian-5+deb11u1 pat OpenSSH* compat > 0x04000000 > debug2: fd 3 setting O_NONBLOCK > debug1: Authenticating to main.homebox.world:22 as 'root' > debug3: hostkeys_foreach: reading file "/home/andre/.ssh/known_hosts" > debug3: send packet: type 20 > debug1: SSH2_MSG_KEXINIT sent > debug3: receive packet: type 20 > debug1: SSH2_MSG_KEXINIT received > debug2: local client KEXINIT proposal > debug2: KEX algorithms: curve25519-sha256, > curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2- > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange- > sha256,diffie-hellman-group16-sha512,diffie-hellman-group18- > sha512,diffie-hellman-group14-sha256,ext-info-c > debug2: host key algorithms: > ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com > , ecdsa-sha2-nistp521-cert-...@openssh.com, > sk-ecdsa-sha2-nistp256-cert-...@openssh.com, > ssh-ed25519-cert-...@openssh.com,sk-ssh-ed25519-cert-...@openssh.com, > rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com, > ssh-rsa-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2- > nistp384,ecdsa-sha2-nistp521, > sk-ecdsa-sha2-nistp...@openssh.com,ssh-ed25519, > sk-ssh-ed25...@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa > debug2: ciphers ctos: chacha20-poly1...@openssh.com,aes128- > ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com, > aes256-...@openssh.com > debug2: ciphers stoc: chacha20-poly1...@openssh.com,aes128- > ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com, > aes256-...@openssh.com > debug2: MACs ctos: umac-64-...@openssh.com,umac-128-...@openssh.com, > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com, > hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hm > ac-sha2-256,hmac-sha2-512,hmac-sha1 > debug2: MACs stoc: umac-64-...@openssh.com,umac-128-...@openssh.com, > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com, > hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hm > ac-sha2-256,hmac-sha2-512,hmac-sha1 > debug2: compression ctos: z...@openssh.com,zlib,none > debug2: compression stoc: z...@openssh.com,zlib,none > debug2: languages ctos: > debug2: languages stoc: > debug2: first_kex_follows 0 > debug2: reserved 0 > debug2: peer server KEXINIT proposal > debug2: KEX algorithms: curve25519-sha256, > curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2- > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange- > sha256,diffie-hellman-group16-sha512,diffie-hellman-group18- > sha512,diffie-hellman-group14-sha256 > debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa- > sha2-nistp256,ssh-ed25519 > debug2: ciphers ctos: chacha20-poly1...@openssh.com,aes128- > ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com, > aes256-...@openssh.com > debug2: ciphers stoc: chacha20-poly1...@openssh.com,aes128- > ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com, > aes256-...@openssh.com > debug2: MACs ctos: umac-64-...@openssh.com,umac-128-...@openssh.com, > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com, > hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hm > ac-sha2-256,hmac-sha2-512,hmac-sha1 > debug2: MACs stoc: umac-64-...@openssh.com,umac-128-...@openssh.com, > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com, > hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hm > ac-sha2-256,hmac-sha2-512,hmac-sha1 > debug2: compression ctos: none,z...@openssh.com > debug2: compression stoc: none,z...@openssh.com > debug2: languages ctos: > debug2: languages stoc: > debug2: first_kex_follows 0 > debug2: reserved 0 > debug1: kex: algorithm: curve25519-sha256 > debug1: kex: host key algorithm: ecdsa-sha2-nistp256 > debug1: kex: server->client cipher: chacha20-poly1...@openssh.com > MAC: <implicit> compression: z...@openssh.com > debug1: kex: client->server cipher: chacha20-poly1...@openssh.com > MAC: <implicit> compression: z...@openssh.com > debug3: send packet: type 30 > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug3: receive packet: type 31 > debug1: Server host key: ecdsa-sha2-nistp256 > SHA256:T23Vm3xnHp/jJlBXrvdrxEiu91pPzjVRPBfGLpu5yPY > debug3: verify_host_key_dns > debug1: found 8 insecure fingerprints in DNS > debug1: matching host key fingerprint found in DNS > debug3: hostkeys_foreach: reading file "/home/andre/.ssh/known_hosts" > debug3: hostkeys_foreach: reading file "/home/andre/.ssh/known_hosts" > debug3: record_hostkey: found key type ECDSA in file > /home/andre/.ssh/known_hosts:59 > debug3: load_hostkeys: loaded 1 keys from 78.141.231.71 > The authenticity of host 'main.homebox.world (78.141.231.71)' can't > be established. > ECDSA key fingerprint is > SHA256:T23Vm3xnHp/jJlBXrvdrxEiu91pPzjVRPBfGLpu5yPY. > Matching host key fingerprint found in DNS. > Are you sure you want to continue connecting (yes/no/[fingerprint])? Where am I making a mistake, please ? Thanks, André