- jakob@cvs.openbsd.org 2003/10/14 19:43:23

[README.dns] update Resynced with OpenBSD too: DNSFP support is now always compiled in so the configure support (and documentation thereof) can go away.
author: Darren Tucker <dtucker@zip.com.au> 2003-10-15 16:07:53 +1000
committer: Darren Tucker <dtucker@zip.com.au> 2003-10-15 16:07:53 +1000
commit: 64b77bcb4b40c97eb1da058ee5648da1a34c3b63 (patch)
tree: d31b93369158d8d6ae1bca321f4ea93ac10074b7
parent: dda19d63ffeed569c57f4b9359bc358abe690d23 (diff)
2 files changed, 13 insertions, 15 deletions
diff --git a/ChangeLog b/ChangeLog
index 414a51f25..5d0201a71 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -33,6 +33,9 @@
   - jakob@cvs.openbsd.org 2003/10/14 19:42:10
     [dns.c dns.h readconf.c ssh-keygen.c sshconnect.c]
     include SSHFP lookup code (not enabled by default). ok markus@
+   - jakob@cvs.openbsd.org 2003/10/14 19:43:23
+     [README.dns]
+     update
 20031009
 - (dtucker) [sshd_config.5] UsePAM defaults to "no".  ok djm@
@@ -1350,4 +1353,4 @@
 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
   Report from murple@murple.net, diagnosis from dtucker@zip.com.au
-$Id: ChangeLog,v 1.3077 2003/10/15 06:00:47 dtucker Exp $
+$Id: ChangeLog,v 1.3078 2003/10/15 06:07:53 dtucker Exp $
diff --git a/README.dns b/README.dns
index e24092e03..97879183e 100644
--- a/README.dns
+++ b/README.dns
@@ -1,17 +1,13 @@
 How to verify host keys using OpenSSH and DNS
 ---------------------------------------------
-OpenSSH contains experimental support for verifying host keys using DNS
+OpenSSH contains support for verifying host keys using DNS as described in
-as described in draft-ietf-secsh-dns-xx.txt. The document contains
+draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
-very brief instructions on how to test this feature. Configuring DNS
+on how to use this feature. Configuring DNS is out of the scope of this
-and DNSSEC is out of the scope of this document.
+document.
-(1) Enable DNS fingerprint support in OpenSSH
+(1) Server: Generate and publish the DNS RR
-        configure --with-dns
-(2) Generate and publish the DNS RR
 To create a DNS resource record (RR) containing a fingerprint of the
 public host key, use the following command:
@@ -24,15 +20,14 @@ you should generate one RR for each key.
 In the example above, ssh-keygen will print the fingerprint in a
 generic DNS RR format parsable by most modern name server
-implementations. If your nameserver has support for the SSHFP RR, as
+implementations. If your nameserver has support for the SSHFP RR
-defined by the draft, you can omit the -g flag and ssh-keygen will
+you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
-print a standard RR.
 To publish the fingerprint using the DNS you must add the generated RR
 to your DNS zone file and sign your zone.
-(3) Enable the ssh client to verify host keys using DNS
+(2) Client: Enable ssh to verify host keys using DNS
 To enable the ssh client to verify host keys using DNS, you have to
 add the following option to the ssh configuration file
@@ -49,4 +44,4 @@ the remote host key, the user will be notified.
        Wesley Griffin
-$OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $
+$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $
author	Darren Tucker <dtucker@zip.com.au>	2003-10-15 16:07:53 +1000
committer	Darren Tucker <dtucker@zip.com.au>	2003-10-15 16:07:53 +1000
commit	64b77bcb4b40c97eb1da058ee5648da1a34c3b63 (patch)
tree	d31b93369158d8d6ae1bca321f4ea93ac10074b7
parent	dda19d63ffeed569c57f4b9359bc358abe690d23 (diff)