>>>>> On Thu, 13 Oct 2011 10:46:01 -0400 (EDT), Paul Wouters <paul@xxxxxxxxxxxxx> said: PW> Also, trusted the AD bit without trusting the last mile violates the PW> RFC 3655 Section 3 [snip] PW> If the ssh client grabs non-localhost resolver entries and trusts the AD PW> bit, then that is a bug and should be reported upstream. The other option is to do in-application validation which gets all the way to the end-system. We actually have some instrumented openssh RPMs that are based on the Fedora RPM with an additional patch to support in-application DNSSEC validation. https://www.dnssec-tools.org/wiki/index.php/OpenSSH https://www.dnssec-tools.org/download/ The implementation does a number of nice things, which includes auto-accepting SSHFP keys that were verified via DNSSEC. -- Wes Hardaker My Pictures: http://capturedonearth.com/ My Thoughts: http://pontifications.hardakers.net/ -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
