projects
/
mirror
/
userdir-ldap-cgi.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
9368c44
)
Explain how to use DNSSEC and SSHFP records
author
Alex Muntada
<alexm@debian.org>
Fri, 2 Mar 2018 16:35:08 +0000
(17:35 +0100)
committer
Paul Wise
<pabs@debian.org>
Sat, 3 Mar 2018 00:07:25 +0000
(08:07 +0800)
html/doc-hosts.wml
patch
|
blob
|
history
diff --git
a/html/doc-hosts.wml
b/html/doc-hosts.wml
index
2e252eb
..
ead0b88
100644
(file)
--- a/
html/doc-hosts.wml
+++ b/
html/doc-hosts.wml
@@
-10,6
+10,11
@@
stored in the Debian LDAP database. The key and its fingerprint will
be displayed when <a href="machines.cgi">details</a> for a machine are
displayed.</p>
be displayed when <a href="machines.cgi">details</a> for a machine are
displayed.</p>
+<p>Developers that have a secure path to a DNSSEC enabled resolver can
+verify the existing SSHFP records for the debian.org servers by adding
+<code>VerifyHostKeyDNS yes</code> to their <code>~/.ssh/config</code>
+file.</p>
+
<p>On machines in the debian.org which are updated from the LDAP
database <code>/etc/ssh/ssh_known_hosts</code> contains the keys for
all hosts in this domain. This helps for easier log in into such a
<p>On machines in the debian.org which are updated from the LDAP
database <code>/etc/ssh/ssh_known_hosts</code> contains the keys for
all hosts in this domain. This helps for easier log in into such a
@@
-17,8
+22,9
@@
machine. This is also be available in the chroot environments.</p>
<p>Developers should add <code>StrictHostKeyChecking yes</code> to
their <code>~/.ssh/config</code> file so that they only connect to
<p>Developers should add <code>StrictHostKeyChecking yes</code> to
their <code>~/.ssh/config</code> file so that they only connect to
-trusted hosts. With the file mentioned above, nearly all hosts in the
-debian.org domain will be trusted automatically.</p>
+trusted hosts. Either with the DNSSEC records or the file mentioned
+above, nearly all hosts in the debian.org domain will be trusted
+automatically.</p>
<p>Developers can also execute <code>ud-host -f</code> or
<code>ud-host -f -h host</code> on a machine in the debian.org domain
<p>Developers can also execute <code>ud-host -f</code> or
<code>ud-host -f -h host</code> on a machine in the debian.org domain
@@
-37,3
+43,4
@@
the LDAP system.</p>
<p><a href="https://people.debian.org/~joey/misc/naming.html">Debian Host Naming Scheme</a></p>
<p><a href="https://people.debian.org/~joey/misc/naming.html">Debian Host Naming Scheme</a></p>
+<p><a href="https://wiki.debian.org/DNSSEC">DNSSEC in Debian</a></p>