On Mon, 2019-02-25 at 04:18 +0300, Yegor Ievlev wrote: > Well, the most likely entity who can do that is your registrar, since > it can change your nameservers and DS records. Or the registry, the IANA, respectively any authority in between which controls a DNS zone. Also, the typical way one communicates "securely" with the registrar, is via TLS, which is because of the certificate model inherently broken. Mozilla, e.g. ships around 150 root CAs, many of whom are known to be not trustworthy... with probably thousands of intermediate CAs, all which can basically issue anything. SSHFP is IMO mostly interesting for organisations which maintain their own secure DNS resolvers (i.e. with their signing keys being configured as trust anchors). But even then you have probably different security properties than with normal SSH keys that were directly exchanged via some trusted path (namely the single point of failure). Cheers, Chris. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev