From owner-freebsd-questions@FreeBSD.ORG Thu May 15 15:00:32 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8F31CC6A for ; Thu, 15 May 2014 15:00:32 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "ca.infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3AC9C2110 for ; Thu, 15 May 2014 15:00:32 +0000 (UTC) Received: from seedling.local ([137.122.64.57]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.8/8.14.8) with ESMTP id s4FF0O4d000510 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Thu, 15 May 2014 16:00:25 +0100 (BST) (envelope-from matthew@FreeBSD.org) Authentication-Results: lucid-nonsense.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org DKIM-Filter: OpenDKIM Filter v2.8.3 smtp.infracaninophile.co.uk s4FF0O4d000510 Authentication-Results: smtp.infracaninophile.co.uk/s4FF0O4d000510; dkim=none reason="no signature"; dkim-adsp=none X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host [137.122.64.57] claimed to be seedling.local Message-ID: <5374D681.5070901@FreeBSD.org> Date: Thu, 15 May 2014 11:00:17 -0400 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: "VerifyHostKeyDNS yes" does not work as expected References: <20140515135405.GA52955@admin.sibptus.tomsk.ru> In-Reply-To: <20140515135405.GA52955@admin.sibptus.tomsk.ru> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="lClax1UjU7ll6sfHoUqk1gVJq5q8L3M6v" X-Virus-Scanned: clamav-milter 0.98.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=1.3 required=5.0 tests=AWL,BAYES_00,RCVD_IN_PBL, RDNS_NONE,SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.0 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2014 15:00:32 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --lClax1UjU7ll6sfHoUqk1gVJq5q8L3M6v Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 15/05/2014 09:54, Victor Sudakov wrote: > Dear Colleagues, >=20 > I have "VerifyHostKeyDNS yes" set in ~/.ssh/config. Yet when I > connect to a host, I get: >=20 > $ ssh admin.sibptus.ru > The authenticity of host 'admin.sibptus.ru (212.73.125.240)' can't be e= stablished. > ECDSA key fingerprint is 83:ca:c0:af:42:5c:35:30:38:d7:78:e3:1d:c9:c2:3= e. > Matching host key fingerprint found in DNS. > Are you sure you want to continue connecting (yes/no)?=20 >=20 > Why does ssh not implicitly trust the key published in DNS? Why does > it ask me? >=20 > The "sibptus.ru" zone is DNSSEC enabled. The local resolver is > configured with "dnssec-validation auto". What else am I missing? >=20 > Thanks for any ideas. >=20 > Here is some debug: http://pastebin.com/q12R7RPH >=20 Your debug output suggests that ssh doesn't trust the SSHFP results from DNS -- which would seem to be a problem with DNSSEC on your domain. Given dnsviz.net confirms DNSSEC on your domain is fine, I guess you need to look into what your recursive resolver is doing with DNSSEC recor= ds. Also, VerifyHostKeyDNS yes is the default in recent FBSD. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --lClax1UjU7ll6sfHoUqk1gVJq5q8L3M6v Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJTdNaHXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkAT/HgP/AhC8bllWPm60LWtA/tBImuz gccFMpXu2fjvJGSTBAfMHGuVaU3Fcnx/4sXAMlUV/pO8ookhz8k9YQHiI/QuMBm8 HBwb6Qucj9tTHl+sck4NomVIcw4HnAo33IsSz8CPpRImJAg9W7xb7AJGuVTSvXcL nn0SiXDGhaClSztBquY+tx5PWZYab/qicwnBJc0BxzmOYpjb5OEitwK1DTjpL16q 7sFzOWIHxJNBjETeY+H7sb00owhH8UqHmW9Dxqd78tNgI8DZbecAz3YoiLlFnDuB F8GkZTSoru+POETvq/shSGlYapivJtITI/FuN1cJT/wsjJcJ6u7/ha+BLVl51+Kk Y7eTWPUaT6BBjpSCfT5r+WDV9XAUpbUW/PWrBuVFo0co5DI8p9Xf4aPvvEio3vTJ 2r752ZgWtFKnzRcMUPRpq3iB8MIwDLtLk4+TNE6VI7t9QX0K2d8UqFdi7lFmB5Sq UkDNCH0XfW7GabOHLm1Wj32nmNRBLL19nxwCwO6G3QhdlBRW7/emybwPCn/kdTrU RJgR6Yw16yH5DdOTyqHzSu4Rx10Yy5kKs7cDNZ2fgSZf8MnheD84++sBjF41vP9i GHbnKhvS9yY0jTX1iOrzSMgutzDZ9+TvhnbMKqbSRtde72CHGqMYnTj/bpJbhXVu TRVPEG9nkD922hGTqPoB =sn5Q -----END PGP SIGNATURE----- --lClax1UjU7ll6sfHoUqk1gVJq5q8L3M6v--