ssh_config: update comment for VerifyHostKeyDNS

OpenSSH is evil and gives you three not-optimal options to this:

A) trust DNSSEC and don't write known_hosts
B) ask whether to trust DNS, but don't bother telling me if it's signed
C) don't even check SSHFP

I see A) as the least evil, but I wish known_hosts was written.
Alternatively B) should tell me whether there is DNSSEC or not, not
only "matching keys found from DNS" or whatever it says always.

.mikaela/ssh/config

@@ -42,11 +42,11 @@ Host *
     # Workaround CVE-2016-0777 & CVE-0778 on OpenSSH < 7.1p2
     UseRoaming no
 
-    # Verify SSHFP records. In case DNSSEC is used this skips the
-    # question on whether you trust the fingerprint or not.
-    # All my hosts run DNSSEC validating Unbound on localhost and use it
-    # for all DNS queries. Yours should too.
-    VerifyHostKeyDNS yes
+    # Verify SSHFP records. If this is yes, the question is skipped when
+    # DNSSEC is used, but apparently only "ask" and "no" write known_hosts
+    # However with "ask" you won't be told whether the zone is signed, so
+    # I consider "yes" to be the least evil.
+    VerifyHostKeyDNS ask
 
 Host aur.archlinux.org
     User aur

etc/ssh/ssh_config

@@ -43,8 +43,8 @@ Host *
     # Workaround CVE-2016-0777 & CVE-0778 on OpenSSH < 7.1p2
     UseRoaming no
 
-    # Verify SSHFP records. In case DNSSEC is used this skips the
-    # question on whether you trust the fingerprint or not.
-    # All my hosts run DNSSEC validating Unbound on localhost and use it
-    # for all DNS queries. Yours should too.
-    VerifyHostKeyDNS yes
+    # Verify SSHFP records. If this is yes, the question is skipped when
+    # DNSSEC is used, but apparently only "ask" and "no" write known_hosts
+    # However with "ask" you won't be told whether the zone is signed, so
+    # I consider "yes" to be the least evil.
+    VerifyHostKeyDNS ask