Hey, What is the canonical way that SSH security should be bootsrapped. How are users expected to know if fingerprint is correct or not? To me canonical way seems that it's not done, at all, only very very few use communicate the fingerprints somehow. Are there reasons why we couldn't out-of-the-package trust on SSHFP when found with validating DNSSEC? Those few how have higher security requirements could manually turn it off. I feel it would be net-gain on security, but I may have missed some important arguments. Thanks, -- ++ytti _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev