Public bug reported: Hi,
openssh can lookup a host's key in the DNS (via the SSHFP record) and use it compare hosts presented public key. VerifyHostKeyDNS yes I believe that is the connection is secured via DNSSEC that this option will allow for the host's key to be automagically accepted. However I have not verified that myself. However I have had this personally set to 'Yes' and for initial connection to hosts which are NOT secured via DNSSEC I am prompted to accept the key. If you want to be more cautious with the change then perhaps setting 'VerifyHostKeyDNS ask' would be better. Either way, I think that making this the default option will: - increase security for those who choose to deploy SSHFP - increased awareness of this ability The only downside is that a connection will make external calls to the DNS to determine if a SSHFP record exists. It would be great if this change could be made before 12.04 is released. ** Affects: openssh (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/825825 Title: have DNS based verification occur by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/825825/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs