On 26/02/2025 19:00, Phillip Hallam-Baker wrote:
As part of that, I wanted to know if there was any *existing* use of the SSHFP record for publishing SSH credentials and if so whether it was limited to the server. And yes, I can read the specs, what I am asking about is actual practice.
My personal opinion (that quite a few people disagree with) is that SSHFP records can be trusted only if the application does DNSSEC validation. However, implementations tend to rely on the AD bit. For a while I had a fork of openssh that did do DNSSEC validation but it was too much work to maintain.
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
