On 11 January 2018 at 07:12, Jonathan Duncan <jonathan@xxxxxxxxxx> wrote: > I have been running openSSH 7.4p1 for a while now. When I upgraded to 7.5 a > year or so ago I ran into the problem listed in this bug report: Upgraded how? Built yourself? Configured with which options and which version of LDNS? > 7.4p1 > > debug1: Server host key: ecdsa-sha2-nistp256 SHA256:<snip> > debug3: verify_host_key_dns > debug2: ldns: got 1 answers from DNS > debug1: found 1 secure fingerprints in DNS Note the "ldns:" line. This one is built with LDNS. > 7.6p1 > > debug1: Server host key: ecdsa-sha2-nistp256 SHA256:<snip> > debug3: verify_host_key_dns > debug1: found 1 insecure fingerprints in DNS Note the lack of the ldns: line. I suspect this one is not built with LDNS. You can confirm this with ldd, you should see something like: $ ldd ssh | grep ldns libldns.so.2 => /usr/lib/libldns.so.2 (0xb7bfe000) > The system I am testing on is running macOS 10.13.2 (High Sierra). Others > in my office are getting the same problem and running a similar setup > (though some are running macOS 10.12) > > Is this a bug still or is there possibly something else at play here? I suspect it's something else. I'd check config.h and your build logs to make sure LDNS was actually enabled as you expect. > Is anyone else having the same problem? (Is anyone else using SSHFP/DNSSEC?) I just set up DNSSEC for my domain and built 7.6p1 with LDNS 1.7.0 and (other than ldns-config wanting to link -lpython2.7 for some reason) it worked. $ ./ssh -vvv -o verifyhostkeydns=yes server | grep -i dns debug3: verify_host_key_dns debug2: ldns: got 6 answers from DNS debug1: found 6 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev