Let's the if we can give the mono-space boxes a bit more space.

2023-01-15 08:33:37 +01:00 · 2023-01-15 08:33:37 +01:00 · c2447eab80
parent 4ae9e2c797
commit c2447eab80
1 changed files with 19 additions and 20 deletions
--- a/VerifyHostKeyDNS.org
+++ b/VerifyHostKeyDNS.org
@ -41,16 +41,15 @@ can secure those with DNSSEC.
 [[https://man.openbsd.org/ssh_config.5#VerifyHostKeyDNS][ssh_config(5)]] explains how [[https://man.openbsd.org/ssh.1][ssh(1)]] can use SSHFP records to verify
 host-keys:
 #+begin_example
-     VerifyHostKeyDNS
-             Specifies whether to verify the remote key using DNS and SSHFP
-             resource records.  If this option is set to yes, the client will
-             implicitly trust keys that match a secure fingerprint from DNS.
-             Insecure fingerprints will be handled as if this option was set
-             to ask.  If this option is set to ask, information on fingerprint
-             match will be displayed, but the user will still need to confirm
-             new host keys according to the StrictHostKeyChecking option.  The
-             default is no.
-
+VerifyHostKeyDNS
+    Specifies whether to verify the remote key using DNS and SSHFP
+    resource records.  If this option is set to yes, the client will
+    implicitly trust keys that match a secure fingerprint from DNS.
+    Insecure fingerprints will be handled as if this option was set
+    to ask.  If this option is set to ask, information on fingerprint
+    match will be displayed, but the user will still need to confirm
+    new host keys according to the StrictHostKeyChecking option.  The
+    default is no.
 #+end_example

 One problem with this is, if you put
@ -73,16 +72,16 @@ have a trustworthy validating name-server is to run one on localhost.

 [[http://man.openbsd.org/resolv.conf#trust-ad][resolv.conf(5)]] explains the *trust-ad* option:
 #+begin_example
-     trust-ad   A name server indicating that it performed DNSSEC
-                validation by setting the Authentic Data (AD) flag
-                in the answer can only be trusted if the name
-                server itself is trusted and the network path is
-                trusted.  Generally this is not the case and the
-                AD flag is cleared in the answer.  The trust-ad
-                option lets the system administrator indicate that
-                the name server and the network path are trusted.
-                This option is automatically enabled if
-                resolv.conf only lists name servers on localhost.
+trust-ad   A name server indicating that it performed DNSSEC
+           validation by setting the Authentic Data (AD) flag
+           in the answer can only be trusted if the name
+           server itself is trusted and the network path is
+           trusted.  Generally this is not the case and the
+           AD flag is cleared in the answer.  The trust-ad
+           option lets the system administrator indicate that
+           the name server and the network path are trusted.
+           This option is automatically enabled if
+           resolv.conf only lists name servers on localhost.
 #+end_example
 The easiest way is to run [[https://man.openbsd.org/unwind.8][unwind(8)]]. [[https://man.openbsd.org/resolvd.8][resolvd(8)]] will then add
 =nameserver 127.0.0.1= into =/etc/resolv.conf= and comment out all