From 66f604a6dd968053b5235298c5a34c33f0461aa3 Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Wed, 2 Sep 2015 08:15:16 +0300
Subject: [PATCH] ssh_config: add UpdateHostKeys yes

---
 .mikaela/ssh/config | 9 ++++++++-
 etc/ssh/ssh_config  | 8 ++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/.mikaela/ssh/config b/.mikaela/ssh/config
index 014bbc2c..e59647dc 100644
--- a/.mikaela/ssh/config
+++ b/.mikaela/ssh/config
@@ -33,9 +33,16 @@ Host *
     # "ping" the server every minute.
     ServerAliveInterval 60
 
+    # OpenSSH 6.8+ - ask all host keys from servers.
+    # I trust the server admins and ways to identify the keys (DNSSEC,
+    # manual)
+    UpdateHostKeys yes
+
     # Verify SSHFP records. In case DNSSEC is used this skips the
     # question on whether you trust the fingerprint or not.
-    VerifyHostKeyDNS=yes
+    # All my hosts run DNSSEC validating Unbound on localhost and use it
+    # for all DNS queries. Yours should too.
+    VerifyHostKeyDNS yes
 
 Host hilla
     HostName hilla.kapsi.fi
diff --git a/etc/ssh/ssh_config b/etc/ssh/ssh_config
index 4f34d1c8..cdfa7371 100644
--- a/etc/ssh/ssh_config
+++ b/etc/ssh/ssh_config
@@ -31,6 +31,14 @@ Host *
     # "ping" the server every minute.
     ServerAliveInterval 60
 
+    # OpenSSH 6.8+ - ask all host keys from servers.
+    # I trust the server admins and ways to identify the keys (DNSSEC,
+    # manual)
+    UpdateHostKeys yes
+
     # Verify SSHFP records. In case DNSSEC is used this skips the
     # question on whether you trust the fingerprint or not.
     VerifyHostKeyDNS=yes
+    # All my hosts run DNSSEC validating Unbound on localhost and use it
+    # for all DNS queries. Yours should too.
+    VerifyHostKeyDNS yes