On Wed, 2011-10-12 at 15:43 -0400, Paul Wouters wrote: > On Wed, 12 Oct 2011, Kevin Fenzi wrote: > > > * DO verify ssh host keys via dnssec protected dns. ( .ssh/config: > > "VerifyHostKeyDNS yes") > > https://bugzilla.redhat.com/show_bug.cgi?id=180277 > https://bugzilla.redhat.com/show_bug.cgi?id=730558 > > You can't tell us to use this while at the same time refusing to make > that security setting not the system default.... > > I asked for this back in 2006 ........ > > See the bug entry for my elaborate example showing you that DNS without DNSSEC > does NOT lead to automatically connecting to servers you were never on before > without prompting. Except nobody says or said that DNS without DNSSEC leads to the automatic connection with such setting. The objection (upstream one that is) is that setting VerifyHostKeyDNS yes ultimately sets you to depend on the DNSSEC security for your SSH connection security and that is something we will never make default if upstream does not. Setting it to 'VerifyHostKeyDNS ask' by default is another matter and I am OK with that. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
