Mailing List Archive

https://bugzilla.mindrot.org/show_bug.cgi?id=1672

--- Comment #8 from pva <peter.volkov@gmail.com> ---
What is the status of this patch? It looks like many people don't
realize that without a secure local resolver, SSHFP just hides security
under the carpet: instead of a clear one-time 'yes' it makes this 'yes'
unattended, yet it's still possible for mitm on local networks, for
example, by redirecting DNS and ssh traffic to attackers computer.

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=1672

Damien Miller <djm@mindrot.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |djm@mindrot.org

--- Comment #9 from Damien Miller <djm@mindrot.org> ---
I don't think there's any appetite to add DNSSEC validation to OpenSSH
itself, particularly not when it required making the ssh(1) binary
threaded as this patch does. This IMO seems like a job for a local
resolver.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs