On Sat, 2022-12-03 at 12:09 -0700, Casey Deccio wrote: > > > On Dec 3, 2022, at 9:22 AM, Andre Rodier <an...@rodier.me> wrote: > > > > > ssh -o VerifyHostKeyDNS=yes main.homebox.world > > > > Yes, this is the default option in my ssh/config file. > > > > I tried on the command line as well, but same result: > > It could be that your default DNS resolver is not validating. ssh simply > looks at the result of the DNSSEC validation > provided by your default resolver [1], so if it's not validating then you > will never get "secure". In the example in > your original post, you queried 1.1.1.1, which is a validating resolver. But > your default resolver might yield > different results. To test, do the following: > > $ dig +dnssec main.homebox.world sshfp > > And look for the presence of the "ad" (authenticated data) flag in the > response. > > Casey > > [1] https://github.com/openssh/openssh-portable/blob/master/dns.c#L230
Thanks for your suggestion. I was already using 1.1.1.1 in /etc/resolv.conf, when I had the issue. I am running Debian Bullseye. Kind regards, André