diff --git a/VerifyHostKeyDNS.org b/VerifyHostKeyDNS.org index 35c6b44..607e96e 100644 --- a/VerifyHostKeyDNS.org +++ b/VerifyHostKeyDNS.org @@ -30,7 +30,7 @@ host-keys of new hosts and new hosts needing to verify host-keys of existing infrastructure. One way to deal with this is to run a [[https://www.lorier.net/docs/ssh-ca.html][CA, sign host-keys with it and roll certificates out]]. -I on the other hand prefer to use DNS[fn:: I have a laptop sticker and +I on the other hand, prefer to use DNS[fn:: I have a laptop sticker and travel mug with "We reject kings, presidents and voting. We believe in rough consensus and running code." crossed out with "Fuck that! Just put it in DNS." I also have a RUN DNS sticker. I am biased]. [[https://www.rfc-editor.org/rfc/rfc4255][RFC4255]] provides @@ -56,10 +56,9 @@ Host * VerifyHostKeyDNS yes #+end_example into your =.ssh/config= it will not work. The magic is /secure -fingerprint/. What the man page means is that a DNS answer for SSHFP -needs to have the /Authentic Data (AD)/ flag set. The flag gets set -when a validating name-server is asked for the SSHFP record, it finds -it and it can validate the answer using DNSSEC. +fingerprint/. What the documentation means is that a DNS answer for +SSHFP needs to have the /Authentic Data (AD)/ flag set. The flag gets +set by a validating name-server if it can DNSSEC validate the SSHFP. But then the libc stub resolver[fn:: The thingy[fn:: Thingy is a technical term, don't worry about it.] that ssh uses to talk @@ -79,15 +78,20 @@ have a trustworthy validating name-server is to run one on localhost. trusted. This option is automatically enabled if resolv.conf only lists name servers on localhost. -The easiest way is to run [[https://man.openbsd.org/unwind.8][unwind(8)]]. [[https://man.openbsd.org/resolvd.8][resolvd(8)]] will then add -=nameserver 127.0.0.1= into =/etc/resolv.conf= and comment out all -other dynamically learned name servers. Just make sure that you are -not using any static configured name servers[fn:: I use ~! route -nameserver $if 149.112.112.9 2620:fe::9 9.9.9.9 2620:fe::fe:9~ in my -main [[http://man.openbsd.org/hostname.if.5][hostname.if(5)]] to add some static name servers in case unwind(8) -crashes[fn:: Not sure why it would do that though. Sounds -unpleasant.].] because you really want to have only =nameserver -127.0.0.1= in there. +The easiest way is to run [[https://man.openbsd.org/unwind.8][unwind(8)]]: +#+begin_src shell + doas rcctl enable unwind + doas rcctl start unwind +#+end_src + +[[https://man.openbsd.org/resolvd.8][resolvd(8)]] will then add =nameserver 127.0.0.1= to +=/etc/resolv.conf= and comment out all other dynamically learned name +servers. Just make sure that you are not using any static configured +name servers[fn:: I use ~! route nameserver $if 149.112.112.9 +2620:fe::9 9.9.9.9 2620:fe::fe:9~ in my main [[http://man.openbsd.org/hostname.if.5][hostname.if(5)]] to add +some static name servers in case unwind(8) crashes[fn:: Not sure why +it would do that though. Sounds unpleasant.].] because you really want +to have only =nameserver 127.0.0.1= in there. * Putting it all together When I install a new host I have out of band access in one way or another. It might be a serial console, a fake html5 console or some