Reword the last section

2023-01-15 09:07:17 +01:00 · 2023-01-15 09:07:17 +01:00 · c0ddd4f72b
commit c0ddd4f72b
parent fc9cceaa91
1 changed files with 9 additions and 8 deletions
--- a/VerifyHostKeyDNS.org
+++ b/VerifyHostKeyDNS.org
@ -102,22 +102,23 @@ On the installed machine I use said out of band access to run
 #+begin_src shell
  ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub
 #+end_src
-This gives me one ssh host-key fingerprint and I can then login over
-ssh.
+This gives me one ssh host-key fingerprint and I can login over ssh.
+
+I have to add IPv6 and legacy-IP addresses to DNS for the machine so I
+also grab the SSHFP to add them at the same time:

-I then run
 #+begin_src shell
  ls /etc/ssh/*.pub | xargs -n1 ssh-keygen -r $(hostname) -f
 #+end_src
-and copy & paste the result into my DNS zone file along side A and
-AAAA records for legacy IP and IPv6. I use [[https://www.powerdns.com/][PowerDNS]] as a hidden DNSSEC
-signer so I paste into the editor ~pdnsutil edit-zone~
-provides.

-While still logged in I install python3 and add an ssh-key for
+While still logged in, I install python3 and add an ssh-key for
 ansible. I then add the host to the ansible inventory. The ansible
 orchestrator can now finish the installation of the host over ssh
 while trusting the SSHFP it finds in DNS.

+Ansible also hooks up the host to my monitoring system and the
+monitoring system can connect to the new host over ssh, again trusting
+that it talks to the correct host because of SSHFP in DNS.
+
 The newly installed host knows that it's talking to my backup and
 monitoring server using their published SSHFP records.