Bug 11648

Done

There seems to be some issue about this:

debug1: Server host key: ssh-ed25519 SHA256:SuMjKtFQ8Cukt2dobxCPf5xhfbgp9Z1VfDXzI8844Tg
DNS lookup error: data does not exist
debug1: Host 'git.ipfire.org' is known and matches the ED25519 host key.

(While connecting to the Git server.)

(In reply to Peter Müller from comment #2)
> There seems to be some issue about this:
> 
> debug1: Server host key: ssh-ed25519
> SHA256:SuMjKtFQ8Cukt2dobxCPf5xhfbgp9Z1VfDXzI8844Tg
> DNS lookup error: data does not exist
> debug1: Host 'git.ipfire.org' is known and matches the ED25519 host key.
> 
> (While connecting to the Git server.)

This is still present. Could somebody have a look at the records please?

Ansible isn't supposed to put SSHFP records for an alias domain. "git.ipfire.org" is not a server. It is just an alias to some other server.

SSHFP record for ED25519 is missing in DNS.

What he is trying to say is that we are not putting those records into DNS for
everything yet and ansible needs to do that.

So this just need to be run... putting bug on QA.

Okay, thank you.

Something is still missing...

[teissler@git01 ~]$ ssh -4v -o "VerifyHostKeyDNS yes" cornelius.ipfire.org
OpenSSH_7.8p1, OpenSSL 1.1.0i-fips  14 Aug 2018
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: /etc/ssh/ssh_config.d/05-redhat.conf line 8: Applying options for *
debug1: Connecting to cornelius.ipfire.org [172.28.1.241] port 22.
debug1: Connection established.
debug1: identity file /home/teissler/.ssh/id_rsa type -1
debug1: identity file /home/teissler/.ssh/id_rsa-cert type -1
debug1: identity file /home/teissler/.ssh/id_dsa type -1
debug1: identity file /home/teissler/.ssh/id_dsa-cert type -1
debug1: identity file /home/teissler/.ssh/id_ecdsa type -1
debug1: identity file /home/teissler/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/teissler/.ssh/id_ed25519 type -1
debug1: identity file /home/teissler/.ssh/id_ed25519-cert type -1
debug1: identity file /home/teissler/.ssh/id_xmss type -1
debug1: identity file /home/teissler/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.8
debug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000
debug1: Authenticating to cornelius.ipfire.org:22 as 'teissler'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256@libssh.org need=32 dh_need=32
debug1: kex: curve25519-sha256@libssh.org need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:R0rIy0K/cmj7ZteykQsO7xPTFcsRg0j6/sOVNMIoGZg
debug1: found 3 insecure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
The authenticity of host 'cornelius.ipfire.org (172.28.1.241)' can't be established.
ECDSA key fingerprint is SHA256:R0rIy0K/cmj7ZteykQsO7xPTFcsRg0j6/sOVNMIoGZg.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?

The clients are not using edns an thus are not getting the signed responses.

To fix this the following line needs to be added to /etc/resolv.conf

options edns0

@Michael: Do you agree to add that at all systems?

> @Michael: Do you agree to add that at all systems?

Yes!