VerifyHostKeyDNS, was Re: Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Tomas Mraz tmraz at
Wed Oct 12 19:51:39 UTC 2011

On Wed, 2011-10-12 at 15:43 -0400, Paul Wouters wrote: 
> On Wed, 12 Oct 2011, Kevin Fenzi wrote:
> > * DO verify ssh host keys via dnssec protected dns. ( .ssh/config:
> >  "VerifyHostKeyDNS yes")
> You can't tell us to use this while at the same time refusing to make
> that security setting not the system default....
> I asked for this back in 2006 ........
> See the bug entry for my elaborate example showing you that DNS without DNSSEC
> does NOT lead to automatically connecting to servers you were never on before
> without prompting.

Except nobody says or said that DNS without DNSSEC leads to the
automatic connection with such setting. The objection (upstream one that
is) is that setting VerifyHostKeyDNS yes ultimately sets you to depend
on the DNSSEC security for your SSH connection security and that is
something we will never make default if upstream does not.

Setting it to 'VerifyHostKeyDNS ask' by default is another matter and I
am OK with that.
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

More information about the devel mailing list