diff --git a/.mikaela/ssh/config b/.mikaela/ssh/config
index 014bbc2c..e59647dc 100644
--- a/.mikaela/ssh/config
+++ b/.mikaela/ssh/config
@@ -33,9 +33,16 @@ Host *
     # "ping" the server every minute.
     ServerAliveInterval 60
 
+    # OpenSSH 6.8+ - ask all host keys from servers.
+    # I trust the server admins and ways to identify the keys (DNSSEC,
+    # manual)
+    UpdateHostKeys yes
+
     # Verify SSHFP records. In case DNSSEC is used this skips the
     # question on whether you trust the fingerprint or not.
-    VerifyHostKeyDNS=yes
+    # All my hosts run DNSSEC validating Unbound on localhost and use it
+    # for all DNS queries. Yours should too.
+    VerifyHostKeyDNS yes
 
 Host hilla
     HostName hilla.kapsi.fi
diff --git a/etc/ssh/ssh_config b/etc/ssh/ssh_config
index 4f34d1c8..cdfa7371 100644
--- a/etc/ssh/ssh_config
+++ b/etc/ssh/ssh_config
@@ -31,6 +31,14 @@ Host *
     # "ping" the server every minute.
     ServerAliveInterval 60
 
+    # OpenSSH 6.8+ - ask all host keys from servers.
+    # I trust the server admins and ways to identify the keys (DNSSEC,
+    # manual)
+    UpdateHostKeys yes
+
     # Verify SSHFP records. In case DNSSEC is used this skips the
     # question on whether you trust the fingerprint or not.
     VerifyHostKeyDNS=yes
+    # All my hosts run DNSSEC validating Unbound on localhost and use it
+    # for all DNS queries. Yours should too.
+    VerifyHostKeyDNS yes