Displaying 1 result from an estimated 1 matches for "ostrictdnsseccheck".
2011 Jul 20
1
auto-accept keys matching DNSSEC-validated SSHFP records
...while I'm at it. :-)
Someone had previously submitted a patch which simply trusted the AD
bit in the response, which is susceptible to spoofing by anyone who can
inject packets between the resolver and the client. Our patch always
fetches the signatures and verifies them locally. A new option,
oStrictDnssecChecking, determines whether or not an untrusted response
is treated as a failure, or if the result is returned with a warning.
In addition to adding local validation, a new setting,
oAutoAnswerValidatedKeys, allows the user to automatically accept new
keys which match DNSSEC-validated SSHFP records. Th...