From e634ee8863ed7570e936afae27836b9b86a1240e Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Thu, 9 May 2019 18:44:36 +0300
Subject: [PATCH] ssh_config: update comment for VerifyHostKeyDNS

OpenSSH is evil and gives you three not-optimal options to this:

A) trust DNSSEC and don't write known_hosts
B) ask whether to trust DNS, but don't bother telling me if it's signed
C) don't even check SSHFP

I see A) as the least evil, but I wish known_hosts was written.
Alternatively B) should tell me whether there is DNSSEC or not, not
only "matching keys found from DNS" or whatever it says always.
---
 .mikaela/ssh/config | 10 +++++-----
 etc/ssh/ssh_config  | 10 +++++-----
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.mikaela/ssh/config b/.mikaela/ssh/config
index 2a8fa2a6..8b8b637e 100644
--- a/.mikaela/ssh/config
+++ b/.mikaela/ssh/config
@@ -42,11 +42,11 @@ Host *
     # Workaround CVE-2016-0777 & CVE-0778 on OpenSSH < 7.1p2
     UseRoaming no
 
-    # Verify SSHFP records. In case DNSSEC is used this skips the
-    # question on whether you trust the fingerprint or not.
-    # All my hosts run DNSSEC validating Unbound on localhost and use it
-    # for all DNS queries. Yours should too.
-    VerifyHostKeyDNS yes
+    # Verify SSHFP records. If this is yes, the question is skipped when
+    # DNSSEC is used, but apparently only "ask" and "no" write known_hosts
+    # However with "ask" you won't be told whether the zone is signed, so
+    # I consider "yes" to be the least evil.
+    VerifyHostKeyDNS ask
 
 Host aur.archlinux.org
     User aur
diff --git a/etc/ssh/ssh_config b/etc/ssh/ssh_config
index eb8803c5..f9106fc2 100644
--- a/etc/ssh/ssh_config
+++ b/etc/ssh/ssh_config
@@ -43,8 +43,8 @@ Host *
     # Workaround CVE-2016-0777 & CVE-0778 on OpenSSH < 7.1p2
     UseRoaming no
 
-    # Verify SSHFP records. In case DNSSEC is used this skips the
-    # question on whether you trust the fingerprint or not.
-    # All my hosts run DNSSEC validating Unbound on localhost and use it
-    # for all DNS queries. Yours should too.
-    VerifyHostKeyDNS yes
+    # Verify SSHFP records. If this is yes, the question is skipped when
+    # DNSSEC is used, but apparently only "ask" and "no" write known_hosts
+    # However with "ask" you won't be told whether the zone is signed, so
+    # I consider "yes" to be the least evil.
+    VerifyHostKeyDNS ask