On Wed, 12 Oct 2011 15:43:42 -0400 (EDT)
Paul Wouters <paul(a)xelerance.com> wrote:
On Wed, 12 Oct 2011, Kevin Fenzi wrote:
> * DO verify ssh host keys via dnssec protected dns. ( .ssh/config:
> "VerifyHostKeyDNS yes")
https://bugzilla.redhat.com/show_bug.cgi?id=180277
https://bugzilla.redhat.com/show_bug.cgi?id=730558
You can't tell us to use this while at the same time refusing to make
that security setting not the system default....
I asked for this back in 2006 ........
If the 'you' you are talking to here is me, which is what it reads
like: I am not the openssh maintainer. ;)
See the bug entry for my elaborate example showing you that DNS
without DNSSEC does NOT lead to automatically connecting to servers
you were never on before without prompting.
I completely agree with your reasoning and would love to have this
default in openssh.
kevin