From fc9cceaa91a0677ffd6062c94d285e1b419fc0cc Mon Sep 17 00:00:00 2001 From: Florian Obser Date: Sun, 15 Jan 2023 08:49:31 +0100 Subject: [PATCH] typo s/then/when/ --- VerifyHostKeyDNS.org | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VerifyHostKeyDNS.org b/VerifyHostKeyDNS.org index 607e96e..b8b92f0 100644 --- a/VerifyHostKeyDNS.org +++ b/VerifyHostKeyDNS.org @@ -60,7 +60,7 @@ fingerprint/. What the documentation means is that a DNS answer for SSHFP needs to have the /Authentic Data (AD)/ flag set. The flag gets set by a validating name-server if it can DNSSEC validate the SSHFP. -But then the libc stub resolver[fn:: The thingy[fn:: Thingy is a +But when the libc stub resolver[fn:: The thingy[fn:: Thingy is a technical term, don't worry about it.] that ssh uses to talk to the validating name-server. On OpenBSD that is [[https://man.openbsd.org/man3/asr_run.3][asr]].] gets that answer it will strip the AD flag for security reasons. You see, it