Hi, I'm not sure if this is the right list for this. If it isn't, then please redirect me to the right one. I found three issues with how openssh handles SSHFP records: - If DNSSEC verification fails it displays a (to me) confusing error message 'Matching host key fingerprint found in DNS.' - It trusts resolvers doing DNSSEC validation instead of always doing local validation - It fails to do local validation due to lack of trust anchor. In any case, ldns, which is used for this feature, is not the right tool for the job. So I wrote a patch to use getdns instead. I submitted to patch to the openssh maintainers, but they don't seem to care. As far as I know, FreeBSD is the only system that enables SSHFP validation by default so it makes sense to submit it here as well. I put my code up on github. https://github.com/phicoh/openssh-getdns branch getdns. Philip