Something helpful for anyone looking into this later I found what seems a good testcase without requiring too much a local setup (of a dnssec dns server):
To get unbound (brute force) do: apt install unbound sudo systemctl stop systemd-resolved sudo systemctl disable systemd-resolved sudo systemctl enable unbound-resolvconf sudo systemctl enable unbound # set 127.0.0.1 vim /etc/resolv.conf Now this should show the ad flag as reported: $ dig salsa.debian.org -t sshfp ... ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 $ ssh -v -o "VerifyHostKeyDNS=yes" t...@salsa.debian.org This indeed (as reported), does show the changed behavior (clean LXD containers, just changes as mentioned above, edns0 set by default): Bionic: debug1: found 4 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS Focal: debug1: found 4 insecure fingerprints in DNS debug1: matching host key fingerprint found in DNS The authenticity of host 'salsa.debian.org (209.87.16.44)' can't be established. ED25519 key fingerprint is SHA256:OAD3pGSwcODIthxF+zIRvPTZ8UCJAYI75E42XDfGr84. Matching host key fingerprint found in DNS. ** Changed in: openssh (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1898590 Title: Verify DNS fingerprints not working Status in openssh package in Ubuntu: Confirmed Bug description: When setting in /etc/ssh/ssh_config VerifyHostKeyDNS to yes the fingerprints are fetched, but the result is always: debug1: found n insecure fingerprints in DNS With dig +dnssec -tsshfp hostname the result is ok: ad flg is set. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1898590/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp