As a first step I tried to make sure this actually is a change in openssh. Because my reading of the issues referred above has shown that not all of the verification is done inside ssh but partially in glibc.
So I upgraded on the bionic test system step by step. The upgrade dependency list for openssh-client is "libc-bin libc6 libgssapi-krb5-2 libkrb5-3 libkrb5support0 locales" I found that the bug is reproducible with openssh-client 1:7.6p1-4ubuntu0.3 running against the newer glibc. I can switch in/out the reported bug be switching on a Bionic system between glibc 2.27-3ubuntu1.2 - Bionic - Good 2.31-0ubuntu9.1 - Focal - Bad ** Also affects: glibc (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1898590 Title: Verify DNS fingerprints not working Status in glibc package in Ubuntu: New Status in openssh package in Ubuntu: Confirmed Bug description: When setting in /etc/ssh/ssh_config VerifyHostKeyDNS to yes the fingerprints are fetched, but the result is always: debug1: found n insecure fingerprints in DNS With dig +dnssec -tsshfp hostname the result is ok: ad flg is set. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1898590/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp