florian/tlakh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

silly footnote ;)

Browse Source
This commit is contained in:
Florian Obser 2023-01-15 08:32:33 +01:00
parent 7540e3f554
commit 4ae9e2c797
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
VerifyHostKeyDNS.org
View File

@ -64,7 +64,8 @@ needs to have the /Authentic Data (AD)/ flag set. The flag gets set
when a validating name-server is asked for the SSHFP record, it finds when a validating name-server is asked for the SSHFP record, it finds
it and it can validate the answer using DNSSEC. it and it can validate the answer using DNSSEC.
But then the libc stub resolver[fn:: The thingy that ssh uses to talk But then the libc stub resolver[fn:: The thingy[fn:: Thingy is a
technical term, don't worry about it.] that ssh uses to talk
to the validating name-server. On OpenBSD that is [[https://man.openbsd.org/man3/asr_run.3][asr]].] gets that to the validating name-server. On OpenBSD that is [[https://man.openbsd.org/man3/asr_run.3][asr]].] gets that
answer it will strip the AD flag for security reasons. You see, it answer it will strip the AD flag for security reasons. You see, it
does not know that it can trust the validating name-server. One way to does not know that it can trust the validating name-server. One way to