From CSCWiki
Jump to navigation Jump to search

Do we support DNSSEC? Without it, this is fairly useless and would possibly introduce securitah holes.

No, the zone is not signed (neither is ca, for that matter). I don't see how adding this introduces security holes, though. This just provides another way for OpenSSH to check the fingerprint. If someone compromises DNS traffic (through a man-in-the-middle attack or otherwise), I think we're no worse off than where we are without SSHFP records.