From 4f65a3a1363c04be592a762e17395b152199696f Mon Sep 17 00:00:00 2001
From: Florian Obser <fobser@ripe.net>
Date: Sun, 15 Jan 2023 08:35:59 +0100
Subject: [PATCH] maybe a definition renders nicer

---
 VerifyHostKeyDNS.org | 42 +++++++++++++++++++-----------------------
 1 file changed, 19 insertions(+), 23 deletions(-)

diff --git a/VerifyHostKeyDNS.org b/VerifyHostKeyDNS.org
index 7579e5e..22092ab 100644
--- a/VerifyHostKeyDNS.org
+++ b/VerifyHostKeyDNS.org
@@ -40,17 +40,15 @@ can secure those with DNSSEC.
 * VerifyHostKeyDNS
 [[https://man.openbsd.org/ssh_config.5#VerifyHostKeyDNS][ssh​_config(5)]] explains how [[https://man.openbsd.org/ssh.1][ssh(1)]] can use SSHFP records to verify
 host-keys:
-#+begin_example
-VerifyHostKeyDNS
-    Specifies whether to verify the remote key using DNS and SSHFP
-    resource records.  If this option is set to yes, the client will
-    implicitly trust keys that match a secure fingerprint from DNS.
-    Insecure fingerprints will be handled as if this option was set
-    to ask.  If this option is set to ask, information on fingerprint
-    match will be displayed, but the user will still need to confirm
-    new host keys according to the StrictHostKeyChecking option.  The
-    default is no.
-#+end_example
+
++ VerifyHostKeyDNS :: Specifies whether to verify the remote key using
+  DNS and SSHFP resource records.  If this option is set to yes, the
+  client will implicitly trust keys that match a secure fingerprint
+  from DNS.  Insecure fingerprints will be handled as if this option
+  was set to ask.  If this option is set to ask, information on
+  fingerprint match will be displayed, but the user will still need to
+  confirm new host keys according to the StrictHostKeyChecking option.
+  The default is no.
 
 One problem with this is, if you put
 #+begin_example
@@ -71,18 +69,16 @@ does not know that it can trust the validating name-server. One way to
 have a trustworthy validating name-server is to run one on localhost.
 
 [[http://man.openbsd.org/resolv.conf#trust-ad][resolv.conf(5)]] explains the *trust-ad* option:
-#+begin_example
-trust-ad   A name server indicating that it performed DNSSEC
-           validation by setting the Authentic Data (AD) flag
-           in the answer can only be trusted if the name
-           server itself is trusted and the network path is
-           trusted.  Generally this is not the case and the
-           AD flag is cleared in the answer.  The trust-ad
-           option lets the system administrator indicate that
-           the name server and the network path are trusted.
-           This option is automatically enabled if
-           resolv.conf only lists name servers on localhost.
-#+end_example
+
++ trust-ad :: A name server indicating that it performed DNSSEC
+  validation by setting the Authentic Data (AD) flag in the answer can
+  only be trusted if the name server itself is trusted and the network
+  path is trusted.  Generally this is not the case and the AD flag is
+  cleared in the answer.  The trust-ad option lets the system
+  administrator indicate that the name server and the network path are
+  trusted.  This option is automatically enabled if resolv.conf only
+  lists name servers on localhost.
+
 The easiest way is to run [[https://man.openbsd.org/unwind.8][unwind(8)]]. [[https://man.openbsd.org/resolvd.8][resolvd(8)]] will then add
 =nameserver 127.0.0.1= into =/etc/resolv.conf= and comment out all
 other dynamically learned name servers. Just make sure that you are