Talk:DNS
Jump to navigation
Jump to search
Do we support DNSSEC? Without it, this is fairly useless and would possibly introduce securitah holes.
No, the uwaterloo.ca zone is not signed (neither is ca, for that matter). I don't see how adding this introduces security holes, though. This just provides another way for OpenSSH to check the fingerprint. If someone compromises DNS traffic (through a man-in-the-middle attack or otherwise), I think we're no worse off than where we are without SSHFP records.