Turns out this seems to be a never ending story and you might have found a comeback of that issue for your particular configuration as you say this worked on 18.04 but fails on 20.04.
This goes way back https://bugzilla.mindrot.org/show_bug.cgi?id=1455 Or half way back https://trac.macports.org/ticket/49007 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618863 https://bugzilla.mindrot.org/show_bug.cgi?id=2119 Other more recent similar issues were around "options edns0" being required to be set for this to work now: https://github.com/NixOS/nixpkgs/issues/12470 https://exanames.typepad.com/blog/2009/06/one-more-thing-to-do-with-dnssec-ssh.html https://bugzilla.redhat.com/show_bug.cgi?id=1630180 https://bugzilla.redhat.com/show_bug.cgi?id=1878166 Note: that option was the default for /etc/resolv.conf on Bionic/Focal for me. Various working setups seem to have been affected by 7.5 https://lists.mindrot.org/pipermail/openssh-bugs/2017-April/017631.html https://lists.mindrot.org/pipermail/openssh-unix-dev/2018-January/036600.html https://bugzilla.mindrot.org/show_bug.cgi?id=2708 But Bionic -> Focal is openssh version 7.6 -> 8.3 Multiple of the above and some other references refer to requiring ldns support. That clearly is in openssh since ~v6 but we don't enable it at build time libldns support: no Is that required and is it now more required than before - I don't know :-/ Sorry, all that I could provide so far was a collection of a (disturbing) history of that feature. ** Bug watch added: OpenSSH Portable Bugzilla #1455 https://bugzilla.mindrot.org/show_bug.cgi?id=1455 ** Bug watch added: trac.macports.org #49007 http://trac.macports.org/ticket/49007 ** Bug watch added: Debian Bug tracker #618863 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618863 ** Bug watch added: OpenSSH Portable Bugzilla #2119 https://bugzilla.mindrot.org/show_bug.cgi?id=2119 ** Bug watch added: github.com/NixOS/nixpkgs/issues #12470 https://github.com/NixOS/nixpkgs/issues/12470 ** Bug watch added: Red Hat Bugzilla #1630180 https://bugzilla.redhat.com/show_bug.cgi?id=1630180 ** Bug watch added: Red Hat Bugzilla #1878166 https://bugzilla.redhat.com/show_bug.cgi?id=1878166 ** Bug watch added: OpenSSH Portable Bugzilla #2708 https://bugzilla.mindrot.org/show_bug.cgi?id=2708 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1898590 Title: Verify DNS fingerprints not working Status in openssh package in Ubuntu: Confirmed Bug description: When setting in /etc/ssh/ssh_config VerifyHostKeyDNS to yes the fingerprints are fetched, but the result is always: debug1: found n insecure fingerprints in DNS With dig +dnssec -tsshfp hostname the result is ok: ad flg is set. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1898590/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
