Leaving off everything else I think about DNSSEC, this is a baffling feature. DNS solves the problem of introducing unrelated counterparties, which is not the SSH host key problem --- people generally don't SSH into hosts they're not somehow affiliated with. This is what CA-based PKIs are made for, and OpenSSH has a good (non-X.509) certificate system already; lots of people use it to get e.g. SSO login for SSH.
Tying authenticity to a global, remote set of authorities is a tradeoff we make for anonymous introductions to random web servers whenever we need them. SSH doesn't have that problem, so the tradeoff gets you... nothing?
> people generally don't SSH into hosts they're not somehow affiliated with
git remote add ... git+ssh://user@github.com/... comes to mind as a counterexample, although I admit there aren't many of these examples and GitHub also supports authenticated https:// with git. GitHub don't publish SSHFP DNS records either it seems, but the feature is there in the client.
Leaving off everything else I think about DNSSEC, this is a baffling feature. DNS solves the problem of introducing unrelated counterparties, which is not the SSH host key problem --- people generally don't SSH into hosts they're not somehow affiliated with. This is what CA-based PKIs are made for, and OpenSSH has a good (non-X.509) certificate system already; lots of people use it to get e.g. SSO login for SSH.
Tying authenticity to a global, remote set of authorities is a tradeoff we make for anonymous introductions to random web servers whenever we need them. SSH doesn't have that problem, so the tradeoff gets you... nothing?
> people generally don't SSH into hosts they're not somehow affiliated with
git remote add ... git+ssh://user@github.com/... comes to mind as a counterexample, although I admit there aren't many of these examples and GitHub also supports authenticated https:// with git. GitHub don't publish SSHFP DNS records either it seems, but the feature is there in the client.