Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
roblabla
on March 24, 2023
|
parent
|
context
|
favorite
| on:
We updated our RSA SSH host key
DNS can
trivially
be mitm'd. DNS-stored fingerprints are strictly less secure than TOFU.
tialaramex
on March 24, 2023
[–]
If you use DNSSEC (cue inevitable rant from Thomas) this just works. If you have DoH (and why wouldn't you?) and your trusted resolver uses DNSSEC (which popular ones do), you get the same benefits.
https://en.wikipedia.org/wiki/SSHFP_record
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
