On Thu, 2015-11-12 at 19:21 +1300, martin f krafft wrote: > also sprach Christoph Anton Mitterer <cales...@scientia.net> [2015- > 11-12 17:41 +1300]: > > > Hopeful, I was looking at VerifyHostKeyDNS for relief > > The default StrictHostKeyChecking isn't secure enough for you, but > > you'd trust DNSSEC here? ;-P > Why should I not trust DNSSEC for hosts where I control the zone? Well depends on what you mean by "control the zone": If your resolver that verifies the DNSSEC has its starting trust anchor for DNSSEC above your zone (i.e. at the root zone), every higher level could in principle make forgeries.
But if you have your own keys configured as trust anchors in your resolvers, than you're of course safe - but then I wouldn't see the big advantage of using DNSSEC. :-) Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
