maybe a definition renders nicer

This commit is contained in:
Florian Obser 2023-01-15 08:35:59 +01:00
parent c2447eab80
commit 4f65a3a136
1 changed files with 19 additions and 23 deletions

View File

@ -40,17 +40,15 @@ can secure those with DNSSEC.
* VerifyHostKeyDNS
[[https://man.openbsd.org/ssh_config.5#VerifyHostKeyDNS][ssh_config(5)]] explains how [[https://man.openbsd.org/ssh.1][ssh(1)]] can use SSHFP records to verify
host-keys:
#+begin_example
VerifyHostKeyDNS
Specifies whether to verify the remote key using DNS and SSHFP
resource records. If this option is set to yes, the client will
implicitly trust keys that match a secure fingerprint from DNS.
Insecure fingerprints will be handled as if this option was set
to ask. If this option is set to ask, information on fingerprint
match will be displayed, but the user will still need to confirm
new host keys according to the StrictHostKeyChecking option. The
default is no.
#+end_example
+ VerifyHostKeyDNS :: Specifies whether to verify the remote key using
DNS and SSHFP resource records. If this option is set to yes, the
client will implicitly trust keys that match a secure fingerprint
from DNS. Insecure fingerprints will be handled as if this option
was set to ask. If this option is set to ask, information on
fingerprint match will be displayed, but the user will still need to
confirm new host keys according to the StrictHostKeyChecking option.
The default is no.
One problem with this is, if you put
#+begin_example
@ -71,18 +69,16 @@ does not know that it can trust the validating name-server. One way to
have a trustworthy validating name-server is to run one on localhost.
[[http://man.openbsd.org/resolv.conf#trust-ad][resolv.conf(5)]] explains the *trust-ad* option:
#+begin_example
trust-ad A name server indicating that it performed DNSSEC
validation by setting the Authentic Data (AD) flag
in the answer can only be trusted if the name
server itself is trusted and the network path is
trusted. Generally this is not the case and the
AD flag is cleared in the answer. The trust-ad
option lets the system administrator indicate that
the name server and the network path are trusted.
This option is automatically enabled if
resolv.conf only lists name servers on localhost.
#+end_example
+ trust-ad :: A name server indicating that it performed DNSSEC
validation by setting the Authentic Data (AD) flag in the answer can
only be trusted if the name server itself is trusted and the network
path is trusted. Generally this is not the case and the AD flag is
cleared in the answer. The trust-ad option lets the system
administrator indicate that the name server and the network path are
trusted. This option is automatically enabled if resolv.conf only
lists name servers on localhost.
The easiest way is to run [[https://man.openbsd.org/unwind.8][unwind(8)]]. [[https://man.openbsd.org/resolvd.8][resolvd(8)]] will then add
=nameserver 127.0.0.1= into =/etc/resolv.conf= and comment out all
other dynamically learned name servers. Just make sure that you are