Re: DNSSEC working but SSHFP reported as insecure

2022-12-04 Thread Casey Deccio
> On Dec 3, 2022, at 12:37 PM, Andre Rodier wrote: > > On Sat, 2022-12-03 at 12:09 -0700, Casey Deccio wrote: >> >> It could be that your default DNS resolver is not validating. ssh simply >> looks at the result of the DNSSEC validation >> provided by your default resolver [1], so if it's n

Re: DNSSEC working but SSHFP reported as insecure

2022-12-03 Thread Andre Rodier
On Sat, 2022-12-03 at 12:09 -0700, Casey Deccio wrote: > > > On Dec 3, 2022, at 9:22 AM, Andre Rodier wrote: > > > > > ssh -o VerifyHostKeyDNS=yes main.homebox.world > > > > Yes, this is the default option in my ssh/config file. > > > > I tried on the command line as well, but same result: >

Re: DNSSEC working but SSHFP reported as insecure

2022-12-03 Thread Casey Deccio
> On Dec 3, 2022, at 9:22 AM, Andre Rodier wrote: > >> ssh -o VerifyHostKeyDNS=yes main.homebox.world > > Yes, this is the default option in my ssh/config file. > > I tried on the command line as well, but same result: It could be that your default DNS resolver is not validating. ssh simply

Re: DNSSEC working but SSHFP reported as insecure

2022-12-03 Thread Andre Rodier
On Sat, 2022-12-03 at 09:19 -0700, Casey Deccio wrote: > ssh -o VerifyHostKeyDNS=yes main.homebox.world Yes, this is the default option in my ssh/config file. I tried on the command line as well, but same result: > ssh -o VerifyHostKeyDNS=yes main.homebox.world > The authenticity of host 'main.h

Re: DNSSEC working but SSHFP reported as insecure

2022-12-03 Thread Casey Deccio
> On Dec 3, 2022, at 8:30 AM, Andre Rodier wrote: > > Where am I making a mistake, please ? The DNSSEC looks fine. That is, there is a secure chain from the root to the SSHFP record (see below). Have you tried adding the VerifyHostKeyDNS=yes option? ssh -o VerifyHostKeyDNS=yes main.homebox.

Re: DNSSEC working but SSHFP reported as insecure

2022-12-03 Thread Andre Rodier
On Sat, 2022-12-03 at 15:48 +, John Scott wrote: > > Where am I making a mistake, please ? > > I think I know the problem. On the client machine, by default glibc > doesn't indicate to applications that DNS records were signed via > DNSSEC. This is because, how is glibc to know whether the DNS

Re: DNSSEC working but SSHFP reported as insecure

2022-12-03 Thread John Scott
> Where am I making a mistake, please ? I think I know the problem. On the client machine, by default glibc doesn't indicate to applications that DNS records were signed via DNSSEC. This is because, how is glibc to know whether the DNS servers it's getting its records from is supposed to be con

DNSSEC working but SSHFP reported as insecure

2022-12-03 Thread Andre Rodier
Hello, all. I have implemented DNSSEC successfully (apparently) on a test box (using PowerDNS, btw). We can see the test here: https://dnssec-debugger.verisignlabs.com/homebox.world I have set my SSHFP records correctly (I think): > dig +dnssec -t SSHFP main.homebox.world @1.1.1.1