#use wml::db.d.o title="debian.org Developer Machines"
+#use wml::vbar
+
+<dsatoc/>
<h3>SSH Host Keys</h3>
be displayed when <a href="machines.cgi">details</a> for a machine are
displayed.</p>
+<p>Developers that have a secure path to a DNSSEC enabled resolver can
+verify the existing SSHFP records for the debian.org servers by adding
+<code>VerifyHostKeyDNS yes</code> to their <code>~/.ssh/config</code>
+file.</p>
+
<p>On machines in the debian.org which are updated from the LDAP
database <code>/etc/ssh/ssh_known_hosts</code> contains the keys for
all hosts in this domain. This helps for easier log in into such a
<p>Developers should add <code>StrictHostKeyChecking yes</code> to
their <code>~/.ssh/config</code> file so that they only connect to
-trusted hosts. With the file mentioned above, nearly all hosts in the
-debian.org domain will be trusted automatically.</p>
+trusted hosts. Either with the DNSSEC records or the file mentioned
+above, nearly all hosts in the debian.org domain will be trusted
+automatically.</p>
<p>Developers can also execute <code>ud-host -f</code> or
<code>ud-host -f -h host</code> on a machine in the debian.org domain
a particular host in order to compare it with the output of
<code>ssh</code> on an external host.</p>
-<h3>Exception for Alioth</h3>
-
-<p>An exception has been made for the Alioth system since not only
-Debian developers have an account on this machine. As a result, this
-machine (or machines in case there are more of one serving as Alioth
-hosts) is generally not trusted. Hence no passwords (i.e. no shadow
-file(s)) will be exported to it and their SSH keys are not added to
-the LDAP system.</p>
-
-
-<p><a href="http://people.debian.org/~joey/misc/naming.html">Debian Host Naming Scheme</a></p>
+<p><a href="https://people.debian.org/~joey/misc/naming.html">Debian Host Naming Scheme</a></p>
+<p><a href="https://wiki.debian.org/DNSSEC">DNSSEC in Debian</a></p>