On Wed, 12 Oct 2011 15:43:42 -0400 (EDT) Paul Wouters <paul@xxxxxxxxxxxxx> wrote: > On Wed, 12 Oct 2011, Kevin Fenzi wrote: > > > * DO verify ssh host keys via dnssec protected dns. ( .ssh/config: > > "VerifyHostKeyDNS yes") > > https://bugzilla.redhat.com/show_bug.cgi?id=180277 > https://bugzilla.redhat.com/show_bug.cgi?id=730558 > > You can't tell us to use this while at the same time refusing to make > that security setting not the system default.... > > I asked for this back in 2006 ........ If the 'you' you are talking to here is me, which is what it reads like: I am not the openssh maintainer. ;) > See the bug entry for my elaborate example showing you that DNS > without DNSSEC does NOT lead to automatically connecting to servers > you were never on before without prompting. I completely agree with your reasoning and would love to have this default in openssh. kevin
Attachment:
signature.asc
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
