NetBSD/crypto
jym c8b47a469d Enable VerifyHostKeyDNS (SSHFP records verification) from DNS for hosts
under NetBSD.org domain.

Multiple TNF hosts have an up-to-date SSHFP record inside the DNS.
This offers a second channel verification for host key fingerprints
(weaker than known_hosts, but spoofing a host on first connect would
also require DNS forgery).

This can provide a trusted second channel (like DANE TLSA records) once
DNSSEC gets more widely used, but for now it is purely informational.

No regression expected, except that the ssh client will print a message
upon first connect to confirm/infirm that it got a correct SSHFP record
from DNS.

Only done for NetBSD.org domain, SSHFP are sadly more an exception than
the rule.

Notified on netbsd-users@, no objection after a week -- committed.
2013-10-06 17:25:34 +00:00
..
dist/ipsec-tools Use Mt for email addresses. 2013-07-20 21:39:55 +00:00
external Enable VerifyHostKeyDNS (SSHFP records verification) from DNS for hosts 2013-10-06 17:25:34 +00:00
Makefile.openssl Remove -I line for no longer extant directory. The OpenSSL libraries 2009-09-23 04:02:28 +00:00
TODO