Re: Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, 2019-02-25 at 04:18 +0300, Yegor Ievlev wrote:
> Well, the most likely entity who can do that is your registrar, since
> it can change your nameservers and DS records.

Or the registry, the IANA, respectively any authority in between which
controls a DNS zone.


Also, the typical way one communicates "securely" with the registrar,
is via TLS, which is because of the certificate model inherently
broken.
Mozilla, e.g. ships around 150 root CAs, many of whom are known to be
not trustworthy... with probably thousands of intermediate CAs, all
which can basically issue anything.

SSHFP is IMO mostly interesting for organisations which maintain their
own secure DNS resolvers (i.e. with their signing keys being configured
as trust anchors).
But even then you have probably different security properties than with
normal SSH keys that were directly exchanged via some trusted path
(namely the single point of failure).

Cheers,
Chris.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux