Date: Fri, 16 May 2014 23:53:27 +0700 From: Victor Sudakov <vas@mpeks.tomsk.su> To: freebsd-questions@freebsd.org Subject: Re: "VerifyHostKeyDNS yes" does not work as expected Message-ID: <20140516165327.GA1465@admin.sibptus.tomsk.ru> In-Reply-To: <5374D681.5070901@FreeBSD.org> References: <20140515135405.GA52955@admin.sibptus.tomsk.ru> <5374D681.5070901@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Seaman wrote: > > > > I have "VerifyHostKeyDNS yes" set in ~/.ssh/config. Yet when I > > connect to a host, I get: > > > > $ ssh admin.sibptus.ru > > The authenticity of host 'admin.sibptus.ru (212.73.125.240)' can't be established. > > ECDSA key fingerprint is 83:ca:c0:af:42:5c:35:30:38:d7:78:e3:1d:c9:c2:3e. > > Matching host key fingerprint found in DNS. > > Are you sure you want to continue connecting (yes/no)? > > > > Why does ssh not implicitly trust the key published in DNS? Why does > > it ask me? > > > > The "sibptus.ru" zone is DNSSEC enabled. The local resolver is > > configured with "dnssec-validation auto". What else am I missing? > > > > Thanks for any ideas. > > > > Here is some debug: http://pastebin.com/q12R7RPH > > > > Your debug output suggests that ssh doesn't trust the SSHFP results from > DNS -- which would seem to be a problem with DNSSEC on your domain. > > Given dnsviz.net confirms DNSSEC on your domain is fine, So does http://dnssec-debugger.verisignlabs.com/sibptus.ru > I guess you need to look into what your recursive resolver is doing > with DNSSEC records. Well, the output of "dig admin.sibptus.ru" has the ad flag, does it not mean that the DNS reply is authenticated ? I have also information from my friends running Linux that they are able to connect to admin.sibptus.ru without ssh asking to save the key in ~/.ssh/known_hosts, so the server side is probably working. Is there anything the matter with the FreeBSD ssh client ? I have tested on FreeBSD 9.2-STABLE. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@sibptus.tomsk.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140516165327.GA1465>