On Apr 26, 2009, at 12:46 PM, Paul Wouters wrote:
You're not using RFC 4255 yet? Shame on you!
From the RFC:
Another dependency is on the implementation of DNSSEC itself. As stated in Section 2.4, we mandate the use of secure methods for lookup and that SSHFP RRs are authenticated by trusted SIG RRs.
So without DNSSEC, sshfp doesn't really add any security: if someone has control over your path, they can spoof both the SSHFP RRs and the host key, and in fact now you have even worse security, because ssh may no longer warn you that you are being given a new key. Of course hopefully ssh is implemented in such a way that it makes sure the SSHFP RR has been validated by the resolver before using it; I haven't actually tried it, so I don't know.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
