Hello list,
From a freshly installed OpenBSD 6.4, whos resolv.conf points to a
validating resolver, unbound-host confirms that the SSHFP records of the
remote server have been validated, "ssh -v" shows that it found a match
between the host key of the remote server and one of these records, but
it seems that it did not validate them:
$ ssh bombay
[...]
debug1: Server host key: ssh-ed25519
SHA256:ume9IzcMIHGfcwJi9PGIKE2owEosrbUS0dkLQ5aNufk
debug1: found 2 insecure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
No ED25519 host key is known for bombay.magickarpet.org and you
have requested strict checking.
Host key verification failed.
On a different OS, with the same SSH client configuration (running
OpenSSH 7.4p1, though, instead of 7.9), using the same resolvers, I
don't see the same issue, and the connection succeeds.
My ~/.ssh/config contains nothing extraordinary:
Host bombay
Hostname bombay.magickarpet.org
VerifyHostKeyDNS yes
StrictHostKeyChecking yes
The output of unbound-host:
$ unbound-host -D -v -t SSHFP bombay.magickarpet.org
bombay.magickarpet.org has SSHFP record 1 2
E4A9DE946DFA35304C1C65F2FF0379E9792B247BF69F16161CF441E095DB5008 (secure)
bombay.magickarpet.org has SSHFP record 4 2
BA67BD23370C20719F730262F4F188284DA8C04A2CADB512D1D90B43968DB9F9 (secure)
Does anyone know what's wrong?
Cheers,
--
Étienne
