OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you
disable LDNS in src.conf.  If DNSSEC is enabled, the default setting for
VerifyHostKeyDNS is "yes".  This means that OpenSSH will silently trust
DNSSEC-signed SSHFP records.  I consider this a lesser evil than "ask"
(aka "train the user to type 'yes' and hit enter") and "no" (aka "train
the user to type 'yes' and hit enter without even the benefit of a
second opinion").

Dag-Erling Smørgrav -
_______________________________________________ mailing list
To unsubscribe, send any mail to ""

Reply via email to