On Fri, 1 Apr 2011, Matthew Dempsky wrote: > Anyway, I'm interested in knowing what people think of adding this > feature. I don't know of any other getaddrinfo(3) implementations > that support it, but djm@ mentioned that it would be nice to have in > OpenSSH for host key validation.
To expand on the problem that this solves - consider what happens when you ssh to an unqualified hostname ("ssh monkeynuts"). Currently, the host's key is recorded alongside its unqualified name, and if you ever ssh to the same host using a qualified domain (e.g. because your laptop received a different one via DHCP) then you will receive a new hostkey warning and an extra entry in known_hosts. There are various hacks around this in ssh_config(5) such as explicitly listing each host and specifying its full hostname using a Hostname directive, or applying a default domain name to all hosts. Unfortunately these have annoying corner cases or are a maintenance hassle. The situation is worse for host certificates, where you don't really want to sign unqualified host names at all. AI_FQDN solves these problems quite nicely. It is also useful for web browsers that face a similar problem (e.g. https://intranet/) but getting them to adopt it might be more tricky. I'd love to see this get deployed so we can use it in OpenSSH (which we can change quickly) -d