From CSCWiki
Revision as of 22:30, 9 September 2010 by Jbroman (talk | contribs) (moved mimcpher's comment from the main DNS page about SSHFP (itself an old comment made by someone else) to talk and added a reply)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Do we support DNSSEC? Without it, this is fairly useless and would possibly introduce securitah holes.

No, the zone is not signed (neither is ca, for that matter). I don't see how adding this introduces security holes, though. This just provides another way for OpenSSH to check the fingerprint. If someone compromises DNS traffic (through a man-in-the-middle attack or otherwise), I think we're no worse off than where we are without SSHFP records.