Phillip Hallam-Baker: > As part of that, I wanted to know if there was any *existing* use of the > SSHFP record for publishing SSH credentials and if so whether it was > limited to the server.
The FreeBSD project publishes SSHFP records for its machines[1], and from 2013 to 2023 the version of OpenSSH shipped with FreeBSD defaulted to VerifyHostKeyDNS=yes: Change the default value of VerifyHostKeyDNS to "yes" if compiled with LDNS. With that setting, OpenSSH will silently accept host keys that match verified SSHFP records. If an SSHFP record exists but could not be verified, OpenSSH will print a message and prompt the user as usual. I don't recall a rationale or public discussion. After a change of FreeBSD's OpenSSH maintainer, the default setting was eventually reverted: ssh: default VerifyHostKeyDNS to no, following upstream Revert to upstream's default. Using VerifyHostKeyDNS may depend on a trusted nameserver and network path. [1] https://www.freebsd.org/internal/machines/ -- Christian "naddy" Weisgerber na...@mips.inka.de _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
