From owner-freebsd-questions@FreeBSD.ORG Thu Jun 12 05:45:57 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0A2FBB2D for ; Thu, 12 Jun 2014 05:45:57 +0000 (UTC) Received: from relay2.tomsk.ru (mail.sibptus.tomsk.ru [212.73.124.5]) by mx1.freebsd.org (Postfix) with ESMTP id 6D55E225E for ; Thu, 12 Jun 2014 05:45:55 +0000 (UTC) X-Virus-Scanned: by clamd daemon 0.98.1 for FreeBSD at relay2.tomsk.ru Received: from admin.sibptus.tomsk.ru (account sudakov@sibptus.tomsk.ru [212.73.125.240] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.16) with ESMTPSA id 35689678 for freebsd-questions@freebsd.org; Thu, 12 Jun 2014 12:45:53 +0700 Received: from admin.sibptus.tomsk.ru (sudakov@localhost [127.0.0.1]) by admin.sibptus.tomsk.ru (8.14.7/8.14.7) with ESMTP id s5C5jqvB037431 for ; Thu, 12 Jun 2014 12:45:52 +0700 (NOVT) (envelope-from vas@mpeks.tomsk.su) Received: (from sudakov@localhost) by admin.sibptus.tomsk.ru (8.14.7/8.14.7/Submit) id s5C5jqAs037430 for freebsd-questions@freebsd.org; Thu, 12 Jun 2014 12:45:52 +0700 (NOVT) (envelope-from vas@mpeks.tomsk.su) X-Authentication-Warning: admin.sibptus.tomsk.ru: sudakov set sender to vas@mpeks.tomsk.su using -f Date: Thu, 12 Jun 2014 12:45:51 +0700 From: Victor Sudakov To: freebsd-questions@freebsd.org Subject: Re: "VerifyHostKeyDNS yes" does not work as expected Message-ID: <20140612054551.GA37354@admin.sibptus.tomsk.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Organization: AO "Svyaztransneft", SibPTUS X-PGP-Key: http://www.dreamwidth.org/pubkey?user=victor_sudakov X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2014 05:45:57 -0000 Victor Sudakov wrote: > > I have "VerifyHostKeyDNS yes" set in ~/.ssh/config. Yet when I > connect to a host, I get: If anyone has DNSSEC enabled in their resolver, could you please try and ssh to noc.sibptus.ru and report if your ssh client trusts the host keys in DNS? Please report your OS version too. > > Why does ssh not implicitly trust the key published in DNS? Why does > it ask me? > > The "sibptus.ru" zone is DNSSEC enabled. The local resolver is > configured with "dnssec-validation auto". What else am I missing? > -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@sibptus.tomsk.ru