> On Dec 3, 2022, at 8:30 AM, Andre Rodier <an...@rodier.me> wrote: > > Where am I making a mistake, please ?
The DNSSEC looks fine. That is, there is a secure chain from the root to the SSHFP record (see below). Have you tried adding the VerifyHostKeyDNS=yes option? ssh -o VerifyHostKeyDNS=yes main.homebox.world Casey [1] $ dnsviz probe -a . -A -R sshfp main.homebox.world | dnsviz print No global IPv6 connectivity detected Analyzing . Analyzing world Analyzing homebox.world Analyzing main.homebox.world . [.] [.] DNSKEY: 8/20326/257 [.], 8/18733/256 [.] [.] RRSIG: ./8/20326 (2022-11-30 - 2022-12-21) [.] world [.] [.] [.] DS: 8/13081/2 [.] [.] RRSIG: ./8/18733 (2022-12-03 - 2022-12-16) [.] [.] DNSKEY: 8/13081/257 [.], 8/5436/256 [.], 8/60063/256 [.] [.] RRSIG: world/8/13081 (2022-12-01 - 2022-12-22) [.] homebox.world [.] [.] [.] DS: 13/8704/2 [.], 13/19691/2 [.], 13/45407/2 [.] [.] RRSIG: world/8/5436 (2022-12-02 - 2022-12-23) [.] [.] DNSKEY: 13/19691/257 [.], 13/45407/256 [.], 13/8704/257 [.] [.] RRSIG: homebox.world/13/8704 (2022-11-24 - 2022-12-15) [.] [.] RRSIG: homebox.world/13/19691 (2022-11-24 - 2022-12-15) [.] main.homebox.world [.] SSHFP: 1 2 7cf3701693baeb8406fd0db7182e01bbadc1f639ba4fc2ca7224116cc9d237dc, 2 1 eb09a2823e9d8a51ef7fe3260e0890a56924da6f, 3 1 142f2a695a2e06cabab6e19800657c3f0b28301d, 4 1 35d346e05d1351a78868e033ebe736c3030d3551, 4 2 052736c5f2e6dce7d41aeeb7f41dbce01d19d2ac9e9ccffab79fb37ab85ce335, 2 2 c3cdd443653530c94c1b90511f3e07ce8fe1fcbbcd60e37729543a577b0a5a44, 3 2 4f6dd59b7c671e9fe3265057aef76bc448aef75a4fce35513c17c62e9bb9c8f6, 1 1 ea89f6c8c8eda5e29e913f4448a816a19624d125 [.] RRSIG: homebox.world/13/45407 (2022-11-24 - 2022-12-15) [.]