From owner-freebsd-questions@FreeBSD.ORG Fri May 16 16:53:30 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D0C3B2B6 for ; Fri, 16 May 2014 16:53:30 +0000 (UTC) Received: from relay2.tomsk.ru (mail.sibptus.tomsk.ru [212.73.124.5]) by mx1.freebsd.org (Postfix) with ESMTP id 3C6152326 for ; Fri, 16 May 2014 16:53:29 +0000 (UTC) X-Virus-Scanned: by clamd daemon 0.98.1 for FreeBSD at relay2.tomsk.ru Received: from admin.sibptus.tomsk.ru (account sudakov@sibptus.tomsk.ru [212.73.125.240] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.16) with ESMTPSA id 35513399 for freebsd-questions@freebsd.org; Fri, 16 May 2014 23:53:27 +0700 Received: from admin.sibptus.tomsk.ru (sudakov@localhost [127.0.0.1]) by admin.sibptus.tomsk.ru (8.14.7/8.14.7) with ESMTP id s4GGrR2X001663 for ; Fri, 16 May 2014 23:53:27 +0700 (NOVT) (envelope-from vas@mpeks.tomsk.su) Received: (from sudakov@localhost) by admin.sibptus.tomsk.ru (8.14.7/8.14.7/Submit) id s4GGrR9K001662 for freebsd-questions@freebsd.org; Fri, 16 May 2014 23:53:27 +0700 (NOVT) (envelope-from vas@mpeks.tomsk.su) X-Authentication-Warning: admin.sibptus.tomsk.ru: sudakov set sender to vas@mpeks.tomsk.su using -f Date: Fri, 16 May 2014 23:53:27 +0700 From: Victor Sudakov To: freebsd-questions@freebsd.org Subject: Re: "VerifyHostKeyDNS yes" does not work as expected Message-ID: <20140516165327.GA1465@admin.sibptus.tomsk.ru> References: <20140515135405.GA52955@admin.sibptus.tomsk.ru> <5374D681.5070901@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5374D681.5070901@FreeBSD.org> Organization: AO "Svyaztransneft", SibPTUS User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2014 16:53:30 -0000 Matthew Seaman wrote: > > > > I have "VerifyHostKeyDNS yes" set in ~/.ssh/config. Yet when I > > connect to a host, I get: > > > > $ ssh admin.sibptus.ru > > The authenticity of host 'admin.sibptus.ru (212.73.125.240)' can't be established. > > ECDSA key fingerprint is 83:ca:c0:af:42:5c:35:30:38:d7:78:e3:1d:c9:c2:3e. > > Matching host key fingerprint found in DNS. > > Are you sure you want to continue connecting (yes/no)? > > > > Why does ssh not implicitly trust the key published in DNS? Why does > > it ask me? > > > > The "sibptus.ru" zone is DNSSEC enabled. The local resolver is > > configured with "dnssec-validation auto". What else am I missing? > > > > Thanks for any ideas. > > > > Here is some debug: http://pastebin.com/q12R7RPH > > > > Your debug output suggests that ssh doesn't trust the SSHFP results from > DNS -- which would seem to be a problem with DNSSEC on your domain. > > Given dnsviz.net confirms DNSSEC on your domain is fine, So does http://dnssec-debugger.verisignlabs.com/sibptus.ru > I guess you need to look into what your recursive resolver is doing > with DNSSEC records. Well, the output of "dig admin.sibptus.ru" has the ad flag, does it not mean that the DNS reply is authenticated ? I have also information from my friends running Linux that they are able to connect to admin.sibptus.ru without ssh asking to save the key in ~/.ssh/known_hosts, so the server side is probably working. Is there anything the matter with the FreeBSD ssh client ? I have tested on FreeBSD 9.2-STABLE. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@sibptus.tomsk.ru