VerifyHostKeyDNS, was Re: Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Paul Wouters paul at
Wed Oct 12 19:43:42 UTC 2011

On Wed, 12 Oct 2011, Kevin Fenzi wrote:

> * DO verify ssh host keys via dnssec protected dns. ( .ssh/config:
>  "VerifyHostKeyDNS yes")

You can't tell us to use this while at the same time refusing to make
that security setting not the system default....

I asked for this back in 2006 ........

See the bug entry for my elaborate example showing you that DNS without DNSSEC
does NOT lead to automatically connecting to servers you were never on before
without prompting.


More information about the devel mailing list