diff --git a/.mikaela/ssh/config b/.mikaela/ssh/config
index 2a8fa2a6..8b8b637e 100644
--- a/.mikaela/ssh/config
+++ b/.mikaela/ssh/config
@@ -42,11 +42,11 @@ Host *
     # Workaround CVE-2016-0777 & CVE-0778 on OpenSSH < 7.1p2
     UseRoaming no
 
-    # Verify SSHFP records. In case DNSSEC is used this skips the
-    # question on whether you trust the fingerprint or not.
-    # All my hosts run DNSSEC validating Unbound on localhost and use it
-    # for all DNS queries. Yours should too.
-    VerifyHostKeyDNS yes
+    # Verify SSHFP records. If this is yes, the question is skipped when
+    # DNSSEC is used, but apparently only "ask" and "no" write known_hosts
+    # However with "ask" you won't be told whether the zone is signed, so
+    # I consider "yes" to be the least evil.
+    VerifyHostKeyDNS ask
 
 Host aur.archlinux.org
     User aur
diff --git a/etc/ssh/ssh_config b/etc/ssh/ssh_config
index eb8803c5..f9106fc2 100644
--- a/etc/ssh/ssh_config
+++ b/etc/ssh/ssh_config
@@ -43,8 +43,8 @@ Host *
     # Workaround CVE-2016-0777 & CVE-0778 on OpenSSH < 7.1p2
     UseRoaming no
 
-    # Verify SSHFP records. In case DNSSEC is used this skips the
-    # question on whether you trust the fingerprint or not.
-    # All my hosts run DNSSEC validating Unbound on localhost and use it
-    # for all DNS queries. Yours should too.
-    VerifyHostKeyDNS yes
+    # Verify SSHFP records. If this is yes, the question is skipped when
+    # DNSSEC is used, but apparently only "ask" and "no" write known_hosts
+    # However with "ask" you won't be told whether the zone is signed, so
+    # I consider "yes" to be the least evil.
+    VerifyHostKeyDNS ask