alt Hacker NewsYou can also address TOFU to some extent using SSHFP DNS records.
Openssh supports checking the DNSSEC signature in the client, in theory, but it's a configure option and I'm not sure if distros build with it.
Replies
fc417fc802 • today at 4:42 PM
Any idea if there's a standardized location, something like /.well-known/ssh?
On top of that you would need something to secure DNS. Like DNSSEC or at the very least use DNS with TLS or DNS over HTTP. None of these are typically enabled by default.