On Sun, Apr 26, 2009 at 01:13:37PM -0500, Ted Lemon <ted.le...@nominum.com> wrote a message of 22 lines which said:
> Of course hopefully ssh is implemented in such a way that it makes > sure the SSHFP RR has been validated by the resolver before using > it; I haven't actually tried it, so I don't know. At least OpenSSH appears to not do that systematically, probably because there is no secure name resolution API, no standard way to check the AD bit from an application (and the app will still not know if the validating resolver was "secure", or if it was using random trust anchors without checking). There is an option in OpenSSH to activate DNSSEC testing for SSHFP (see dns.c and openbsd-compat/getrrsetbyname.c) but it seems to depend on the local stub resolver support and therefore does not work for each system. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
