Well, the most likely entity who can do that is your registrar, since it can change your nameservers and DS records. On Mon, Feb 25, 2019 at 3:51 AM Christoph Anton Mitterer <calestyo@xxxxxxxxxxxx> wrote: > > On Sat, 2019-02-23 at 22:23 +0300, Yegor Ievlev wrote: > > Well, known_hosts isn't exactly trusted input, since it's usually > > composed of the keys you first encounter > If someone accepts keys without checking them, he cannot be helped. > > > > without any additional > > checking, as opposed to (hopefully) correctly signed SSHFP records. > In fact, SSHFP is far less trustworthy, than properly exchanged host > keys (respectively fingerprints). > > Anyone in the tree of the DNS down to the domain with your SSHFP RR has > the potential power to forge such RR. > > > C. > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev