Quoting Philip Homburg <pch-openssh@xxxxxxxxxxxxxx>: > Hi, > > I found a small issue with DNSSEC validation of SSHFP lookups. (For > reference > I used OpenSSH 6.8p1 on FreeBSD 10.1). > > The issues is that when DNSSEC valiation fails, ssh displays a confusing > message to the user. When DNSSEC validation of a SSHFP record fails, ssh > presents the user with > "Matching host key fingerprint found in DNS. > "Are you sure you want to continue connecting (yes/no)? That's not the only confusing one. I ran into another confusing error message on some of my 6.6 clients when connecting to hosts which had published a full set of SSHFPs (types 1 and 4 anyway, with both hash records for each of those). It was something vague like "Error calculating host key fingerprint" with no mention of an unsupported SSHFP record. Even though Curve25519 support was in those older versions, I guess the support for the Ed25519 algorithm in SSHFPs lagged them by quite a while. I don't use algorithms 2 or 3 since none of my SSHDs are configured to support them. It's probably of minor importance, since DNS fingerprinting is not the best primary mechanism to verify a server's host key fingerprint. =R= _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev