From owner-freebsd-questions@FreeBSD.ORG Thu May 15 13:54:09 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B2881A65 for ; Thu, 15 May 2014 13:54:09 +0000 (UTC) Received: from relay2.tomsk.ru (mail.sibptus.tomsk.ru [212.73.124.5]) by mx1.freebsd.org (Postfix) with ESMTP id 1E0522A81 for ; Thu, 15 May 2014 13:54:08 +0000 (UTC) X-Virus-Scanned: by clamd daemon 0.98.1 for FreeBSD at relay2.tomsk.ru Received: from admin.sibptus.tomsk.ru (account sudakov@sibptus.tomsk.ru [212.73.125.240] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.16) with ESMTPSA id 35511673 for freebsd-questions@freebsd.org; Thu, 15 May 2014 20:54:05 +0700 Received: from admin.sibptus.tomsk.ru (sudakov@localhost [127.0.0.1]) by admin.sibptus.tomsk.ru (8.14.7/8.14.7) with ESMTP id s4FDs5AS053265 for ; Thu, 15 May 2014 20:54:05 +0700 (NOVT) (envelope-from vas@mpeks.tomsk.su) Received: (from sudakov@localhost) by admin.sibptus.tomsk.ru (8.14.7/8.14.7/Submit) id s4FDs5PC053264 for freebsd-questions@freebsd.org; Thu, 15 May 2014 20:54:05 +0700 (NOVT) (envelope-from vas@mpeks.tomsk.su) X-Authentication-Warning: admin.sibptus.tomsk.ru: sudakov set sender to vas@mpeks.tomsk.su using -f Date: Thu, 15 May 2014 20:54:05 +0700 From: Victor Sudakov To: freebsd-questions@freebsd.org Subject: "VerifyHostKeyDNS yes" does not work as expected Message-ID: <20140515135405.GA52955@admin.sibptus.tomsk.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Organization: AO "Svyaztransneft", SibPTUS X-PGP-Key: http://www.dreamwidth.org/pubkey?user=victor_sudakov X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2014 13:54:09 -0000 Dear Colleagues, I have "VerifyHostKeyDNS yes" set in ~/.ssh/config. Yet when I connect to a host, I get: $ ssh admin.sibptus.ru The authenticity of host 'admin.sibptus.ru (212.73.125.240)' can't be established. ECDSA key fingerprint is 83:ca:c0:af:42:5c:35:30:38:d7:78:e3:1d:c9:c2:3e. Matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)? Why does ssh not implicitly trust the key published in DNS? Why does it ask me? The "sibptus.ru" zone is DNSSEC enabled. The local resolver is configured with "dnssec-validation auto". What else am I missing? Thanks for any ideas. Here is some debug: http://pastebin.com/q12R7RPH -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@sibptus.tomsk.ru