OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you disable LDNS in src.conf. If DNSSEC is enabled, the default setting for VerifyHostKeyDNS is "yes". This means that OpenSSH will silently trust DNSSEC-signed SSHFP records. I consider this a lesser evil than "ask" (aka "train the user to type 'yes' and hit enter") and "no" (aka "train the user to type 'yes' and hit enter without even the benefit of a second opinion").
DES -- Dag-Erling Smørgrav - d...@des.no _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
