Some more editing to make this read better.

VerifyHostKeyDNS.org

@@ -30,7 +30,7 @@ host-keys of new hosts and new hosts needing to verify host-keys of
 existing infrastructure. One way to deal with this is to run a [[https://www.lorier.net/docs/ssh-ca.html][CA,
 sign host-keys with it and roll certificates out]].
 
-I on the other hand prefer to use DNS[fn:: I have a laptop sticker and
+I on the other hand, prefer to use DNS[fn:: I have a laptop sticker and
 travel mug with "We reject kings, presidents and voting. We believe in
 rough consensus and running code." crossed out with "Fuck that! Just
 put it in DNS." I also have a RUN DNS sticker. I am biased]. [[https://www.rfc-editor.org/rfc/rfc4255][RFC4255]] provides
@@ -56,10 +56,9 @@ Host *
     VerifyHostKeyDNS yes
 #+end_example
 into your =.ssh/config= it will not work. The magic is /secure
-fingerprint/. What the man page means is that a DNS answer for SSHFP
+fingerprint/. What the documentation means is that a DNS answer for
-needs to have the /Authentic Data (AD)/ flag set. The flag gets set
+SSHFP needs to have the /Authentic Data (AD)/ flag set. The flag gets
-when a validating name-server is asked for the SSHFP record, it finds
+set by a validating name-server if it can DNSSEC validate the SSHFP.
-it and it can validate the answer using DNSSEC.
 
 But then the libc stub resolver[fn:: The thingy[fn:: Thingy is a
 technical term, don't worry about it.] that ssh uses to talk
@@ -79,15 +78,20 @@ have a trustworthy validating name-server is to run one on localhost.
   trusted.  This option is automatically enabled if resolv.conf only
   lists name servers on localhost.
 
-The easiest way is to run [[https://man.openbsd.org/unwind.8][unwind(8)]]. [[https://man.openbsd.org/resolvd.8][resolvd(8)]] will then add
+The easiest way is to run [[https://man.openbsd.org/unwind.8][unwind(8)]]:
-=nameserver 127.0.0.1= into =/etc/resolv.conf= and comment out all
+#+begin_src shell
-other dynamically learned name servers. Just make sure that you are
+  doas rcctl enable unwind
-not using any static configured name servers[fn:: I use ~! route
+  doas rcctl start unwind
-nameserver $if 149.112.112.9 2620:fe::9 9.9.9.9 2620:fe::fe:9~ in my
+#+end_src
-main [[http://man.openbsd.org/hostname.if.5][hostname.if(5)]] to add some static name servers in case unwind(8)
+
-crashes[fn:: Not sure why it would do that though. Sounds
+[[https://man.openbsd.org/resolvd.8][resolvd(8)]] will then add =nameserver 127.0.0.1= to
-unpleasant.].] because you really want to have only =nameserver
+=/etc/resolv.conf= and comment out all other dynamically learned name
-127.0.0.1= in there.
+servers. Just make sure that you are not using any static configured
+name servers[fn:: I use ~! route nameserver $if 149.112.112.9
+2620:fe::9 9.9.9.9 2620:fe::fe:9~ in my main [[http://man.openbsd.org/hostname.if.5][hostname.if(5)]] to add
+some static name servers in case unwind(8) crashes[fn:: Not sure why
+it would do that though. Sounds unpleasant.].] because you really want
+to have only =nameserver 127.0.0.1= in there.
 * Putting it all together
 When I install a new host I have out of band access in one way or
 another. It might be a serial console, a fake html5 console or some