VerifyHostKeyDNS, was Re: Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Kevin Fenzi kevin at
Wed Oct 12 19:47:09 UTC 2011

On Wed, 12 Oct 2011 15:43:42 -0400 (EDT)
Paul Wouters <paul at> wrote:

> On Wed, 12 Oct 2011, Kevin Fenzi wrote:
> > * DO verify ssh host keys via dnssec protected dns. ( .ssh/config:
> >  "VerifyHostKeyDNS yes")
> You can't tell us to use this while at the same time refusing to make
> that security setting not the system default....
> I asked for this back in 2006 ........

If the 'you' you are talking to here is me, which is what it reads
like: I am not the openssh maintainer. ;) 

> See the bug entry for my elaborate example showing you that DNS
> without DNSSEC does NOT lead to automatically connecting to servers
> you were never on before without prompting.

I completely agree with your reasoning and would love to have this
default in openssh. 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : 

More information about the devel mailing list