Hi, On Mon, Feb 25, 2019 at 01:51:16AM +0100, Christoph Anton Mitterer wrote: > Anyone in the tree of the DNS down to the domain with your SSHFP RR has > the potential power to forge such RR. This is why you only trust SSHFPs if they are DNSSEC validated. (Of course the sysadmin who maintains your SSHFP zone entries needs to be trusted, so you do not want to do this for zones hosted elsewhere) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany gert@xxxxxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev