be displayed when <a href="machines.cgi">details</a> for a machine are
displayed.</p>
+<p>Developers that have a secure path to a DNSSEC enabled resolver can
+verify the existing SSHFP records for the debian.org servers by adding
+<code>VerifyHostKeyDNS yes</code> to their <code>~/.ssh/config</code>
+file.</p>
+
<p>On machines in the debian.org which are updated from the LDAP
database <code>/etc/ssh/ssh_known_hosts</code> contains the keys for
all hosts in this domain. This helps for easier log in into such a
<p>Developers should add <code>StrictHostKeyChecking yes</code> to
their <code>~/.ssh/config</code> file so that they only connect to
-trusted hosts. With the file mentioned above, nearly all hosts in the
-debian.org domain will be trusted automatically.</p>
+trusted hosts. Either with the DNSSEC records or the file mentioned
+above, nearly all hosts in the debian.org domain will be trusted
+automatically.</p>
<p>Developers can also execute <code>ud-host -f</code> or
<code>ud-host -f -h host</code> on a machine in the debian.org domain
the LDAP system.</p>
-<p><a href="http://people.debian.org/~joey/misc/naming.html">Debian Host Naming Scheme</a></p>
+<p><a href="https://people.debian.org/~joey/misc/naming.html">Debian Host Naming Scheme</a></p>
+<p><a href="https://wiki.debian.org/DNSSEC">DNSSEC in Debian</a></p>