Let's the if we can give the mono-space boxes a bit more space.

This commit is contained in:
Florian Obser 2023-01-15 08:33:37 +01:00
parent 4ae9e2c797
commit c2447eab80

View File

@ -41,16 +41,15 @@ can secure those with DNSSEC.
[[https://man.openbsd.org/ssh_config.5#VerifyHostKeyDNS][ssh_config(5)]] explains how [[https://man.openbsd.org/ssh.1][ssh(1)]] can use SSHFP records to verify [[https://man.openbsd.org/ssh_config.5#VerifyHostKeyDNS][ssh_config(5)]] explains how [[https://man.openbsd.org/ssh.1][ssh(1)]] can use SSHFP records to verify
host-keys: host-keys:
#+begin_example #+begin_example
VerifyHostKeyDNS VerifyHostKeyDNS
Specifies whether to verify the remote key using DNS and SSHFP Specifies whether to verify the remote key using DNS and SSHFP
resource records. If this option is set to yes, the client will resource records. If this option is set to yes, the client will
implicitly trust keys that match a secure fingerprint from DNS. implicitly trust keys that match a secure fingerprint from DNS.
Insecure fingerprints will be handled as if this option was set Insecure fingerprints will be handled as if this option was set
to ask. If this option is set to ask, information on fingerprint to ask. If this option is set to ask, information on fingerprint
match will be displayed, but the user will still need to confirm match will be displayed, but the user will still need to confirm
new host keys according to the StrictHostKeyChecking option. The new host keys according to the StrictHostKeyChecking option. The
default is no. default is no.
#+end_example #+end_example
One problem with this is, if you put One problem with this is, if you put
@ -73,16 +72,16 @@ have a trustworthy validating name-server is to run one on localhost.
[[http://man.openbsd.org/resolv.conf#trust-ad][resolv.conf(5)]] explains the *trust-ad* option: [[http://man.openbsd.org/resolv.conf#trust-ad][resolv.conf(5)]] explains the *trust-ad* option:
#+begin_example #+begin_example
trust-ad A name server indicating that it performed DNSSEC trust-ad A name server indicating that it performed DNSSEC
validation by setting the Authentic Data (AD) flag validation by setting the Authentic Data (AD) flag
in the answer can only be trusted if the name in the answer can only be trusted if the name
server itself is trusted and the network path is server itself is trusted and the network path is
trusted. Generally this is not the case and the trusted. Generally this is not the case and the
AD flag is cleared in the answer. The trust-ad AD flag is cleared in the answer. The trust-ad
option lets the system administrator indicate that option lets the system administrator indicate that
the name server and the network path are trusted. the name server and the network path are trusted.
This option is automatically enabled if This option is automatically enabled if
resolv.conf only lists name servers on localhost. resolv.conf only lists name servers on localhost.
#+end_example #+end_example
The easiest way is to run [[https://man.openbsd.org/unwind.8][unwind(8)]]. [[https://man.openbsd.org/resolvd.8][resolvd(8)]] will then add The easiest way is to run [[https://man.openbsd.org/unwind.8][unwind(8)]]. [[https://man.openbsd.org/resolvd.8][resolvd(8)]] will then add
=nameserver 127.0.0.1= into =/etc/resolv.conf= and comment out all =nameserver 127.0.0.1= into =/etc/resolv.conf= and comment out all