Y'all, Currently (OpenSSH_7.1p1) no distinction is made between when an SSHFP RR is missing from the result set (rather then being empty), which can lead to confusing error messages, (the "normal" warn_changed_key() blurb is emitted) e.g. when the presented host key and known hosts both match but there is no matching RR. Further, if VerifyHostKeyDNS and StrictHostKeyChecking are set, there is no prompting for confirmation if the connection should be allowed to proceed; I'm unsure if this is by design or not (as presented host key and known host key match), but I'd argue this violates POLA. Attached are two naïve patches to portable (cloned from anongit@xxxxxxxxxxx) that attempt to tackle the above. -- /ciao, thorduri. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev