ssh -o "VerifyHostKeyDNS ask" host.example.com
How do you place host sshd key in DNS records without first connecting to this instance and getting the key, action which requires you to check/verify host sshd key (which is NOT in DNS yet)?
so it looks a bit like chicken and egg thing ...
What am I missing?
If there is a demand I could try whipping up a CloudFormation template to do it.
I guess most people connect to a server by name (using DNS lookups, vs. direct IP addresses).
If my query for example.com is redirected somehow, wouldn't it be fairly trivial (ignoring DNSSEC right now) to present a valid fingerprint via DNS as well?
As another commenter mentioned, it all depends on who your attacker is. A MITM ssh attack won't necessarily forge your DNS request (maybe your router is compromised?), so even without DNSSEC there might be some use in enabling this.
Security is all relative, but I'm quite sure it would be possible for your to just sign your public key signature (which is what the article covers), and presumably you've kept your private key a real secret, so that isn't forge-able (unless your enemy has cracked your 2046/4096-bit RSA key).