From 0e1f4803a9672dbd8d9a13dceb37e493f1956d25 Mon Sep 17 00:00:00 2001
From: Alex Muntada <alexm@debian.org>
Date: Fri, 2 Mar 2018 17:35:08 +0100
Subject: [PATCH] Explain how to use DNSSEC and SSHFP records

---
 html/doc-hosts.wml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/html/doc-hosts.wml b/html/doc-hosts.wml
index 2e252eb..ead0b88 100644
--- a/html/doc-hosts.wml
+++ b/html/doc-hosts.wml
@@ -10,6 +10,11 @@ stored in the Debian LDAP database.  The key and its fingerprint will
 be displayed when <a href="machines.cgi">details</a> for a machine are
 displayed.</p>
 
+<p>Developers that have a secure path to a DNSSEC enabled resolver can
+verify the existing SSHFP records for the debian.org servers by adding
+<code>VerifyHostKeyDNS yes</code> to their <code>~/.ssh/config</code>
+file.</p>
+
 <p>On machines in the debian.org which are updated from the LDAP
 database <code>/etc/ssh/ssh_known_hosts</code> contains the keys for
 all hosts in this domain.  This helps for easier log in into such a
@@ -17,8 +22,9 @@ machine.  This is also be available in the chroot environments.</p>
 
 <p>Developers should add <code>StrictHostKeyChecking yes</code> to
 their <code>~/.ssh/config</code> file so that they only connect to
-trusted hosts.  With the file mentioned above, nearly all hosts in the
-debian.org domain will be trusted automatically.</p>
+trusted hosts.  Either with the DNSSEC records or the file mentioned
+above, nearly all hosts in the debian.org domain will be trusted
+automatically.</p>
 
 <p>Developers can also execute <code>ud-host -f</code> or
 <code>ud-host -f -h host</code> on a machine in the debian.org domain
@@ -37,3 +43,4 @@ the LDAP system.</p>
 
 
 <p><a href="https://people.debian.org/~joey/misc/naming.html">Debian Host Naming Scheme</a></p>
+<p><a href="https://wiki.debian.org/DNSSEC">DNSSEC in Debian</a></p>
-- 
2.20.1