From owner-freebsd-current@FreeBSD.ORG Wed Sep 11 15:00:45 2013 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 0B15C3AA; Wed, 11 Sep 2013 15:00:45 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id C414F2171; Wed, 11 Sep 2013 15:00:44 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 0E8E44862; Wed, 11 Sep 2013 15:00:44 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 2EEDC3703A; Wed, 11 Sep 2013 17:00:15 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: current@freebsd.org Subject: HEADS UP: OpenSSH with DNSSEC support in 10 Date: Wed, 11 Sep 2013 17:00:15 +0200 Message-ID: <86hadre740.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Sep 2013 15:00:45 -0000 OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you disable LDNS in src.conf. If DNSSEC is enabled, the default setting for VerifyHostKeyDNS is "yes". This means that OpenSSH will silently trust DNSSEC-signed SSHFP records. I consider this a lesser evil than "ask" (aka "train the user to type 'yes' and hit enter") and "no" (aka "train the user to type 'yes' and hit enter without even the benefit of a second opinion"). DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no