On Sun, 26 Apr 2009, Ted Lemon wrote:
On Apr 26, 2009, at 12:46 PM, Paul Wouters wrote:
You're not using RFC 4255 yet? Shame on you!
From the RFC:
Another dependency is on the implementation of DNSSEC itself. As stated in
Section 2.4, we mandate the use of secure methods for lookup and that SSHFP
RRs are authenticated by trusted SIG RRs.
So without DNSSEC, sshfp doesn't really add any security: if someone has
control over your path, they can spoof both the SSHFP RRs and the host key,
and in fact now you have even worse security, because ssh may no longer warn
you that you are being given a new key.
It *still* warns you about new keys and asks you to confirm it. It will just
present additional information on whether or not it matches the DNS record. It
does not replace the leap-of-faith, it adds to it.
So, there is no reason not to use it, even without dnssec. Also, if you run your
own validator, you might have cached the sshfp record before entering the
rogue network, so they won't be able to spood the SSHFP record.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
