openssh unix dev - May 2014 - bug or feature with ssh-keygen and user CAs?

I have confirmed this behavior from OpenSSH 6.6 in OS X (from MacPorts) and 6.6
in Ubuntu.  I have set up a SSH Certificate authority, and as such I put in the
following line at the top of my known_hosts file

@cert-authority *.mydomain.com ssh-rsa <public key>

Below this are all my hashed entries for various other hosts that I?ve contacted
over the years.

Every once in a while I?ll rebuild a box in my environment, and the ssh key will
change.  To clean up my known_hosts file to allow me to re-insert the new entry,
I will do ssh-keygen -R <ip>.  This has the unintended consequence of
matching on the offending entry in the known_hosts file *and* my cert-authority
entry:

$ ssh-keygen -R 10.50.3.149
# Host 10.50.3.149 found: line 1 type RSA
# Host 10.50.3.149 found: line 512 type ECDSA
/Users/mlindgren/.ssh/known_hosts updated.
Original contents retained as /Users/mlindgren/.ssh/known_hosts.old


Am I missing something fundamental here?

Thanks,

Mattias

On Wed, 7 May 2014, Mattias Lindgren wrote:
> Every once in a while I?ll rebuild a box in my environment, and the
> ssh key will change. To clean up my known_hosts file to allow me to
> re-insert the new entry, I will do ssh-keygen -R <ip>. This has the
> unintended consequence of matching on the offending entry in the
> known_hosts file *and* my cert-authority entry:
>
> $ ssh-keygen -R 10.50.3.149
> # Host 10.50.3.149 found: line 1 type RSA
> # Host 10.50.3.149 found: line 512 type ECDSA
> /Users/mlindgren/.ssh/known_hosts updated.
> Original contents retained as /Users/mlindgren/.ssh/known_hosts.old
> 
> Am I missing something fundamental here?
No, that's a bug. Could you file it at https://bugzilla.mindrot.org/ ?

-d