I want to be able to connect to SSH servers that have their public keys fingerprints published in SSHFP DNSSEC records from a Debian 11, without validating the key manually. However, my SSH client keeps telling me:
$ ssh -v -o VerifyHostKeyDNS=yes redpilllinpro01.ring.nlnog.net
[...]
debug1: found 6 insecure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
The authenticity of host 'redpilllinpro01.ring.nlnog.net (2a02:c0:200:104::1)' can't be established.
ECDSA key fingerprint is SHA256:8u7TWGf0jincRkOfYWvDQzPaPFSUIKeBdxGFWpq6K/s.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
According to Verisign Labs this domain has DNSSEC properly configured, and the dig command does tell me the data is authenticated with the "ad" flag:
$ dig redpilllinpro01.ring.nlnog.net IN SSHFP +dnssec
; <<>> DiG 9.16.33-Debian <<>> redpilllinpro01.ring.nlnog.net IN SSHFP +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43382
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
Since my debian is using systemd-resolved for DNS resolution, I tried to enable DNSSEC validation in resolved.conf, with no avail:
[Resolve]
DNSSEC=allow-downgrade
After doing this, systemd-resolved successfuly authenticates DNSSEC results:
$ resolvectl query redpilllinpro01.ring.nlnog.net
redpilllinpro01.ring.nlnog.net: 2a02:c0:200:104::1 -- link: eth0
87.238.49.250 -- link: eth0
-- Information acquired via protocol DNS in 71.5ms.
-- Data is authenticated: yes
Yet, ssh still complains that DNS data is not secure. I know ssh is using systemd-resolved because stopping it leads to DNS resolution failures in ssh.
According to debian.org, I need to replace systemd-resolved by a local DNS server (BIND9 or Unbound). I also tried this, but with no avail.
