Date: Wed, 11 Sep 2013 17:00:15 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: current@freebsd.org Cc: freebsd-security@freebsd.org Subject: HEADS UP: OpenSSH with DNSSEC support in 10 Message-ID: <86hadre740.fsf@nine.des.no>
next in thread | raw e-mail | index | archive | help
OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you disable LDNS in src.conf. If DNSSEC is enabled, the default setting for VerifyHostKeyDNS is "yes". This means that OpenSSH will silently trust DNSSEC-signed SSHFP records. I consider this a lesser evil than "ask" (aka "train the user to type 'yes' and hit enter") and "no" (aka "train the user to type 'yes' and hit enter without even the benefit of a second opinion"). DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86hadre740.fsf>