[tptacek]

It's a little baffling that anyone would set this up, as the thing it promises is key integrity backed by government-controlled PKI. The impulse is sound! It's a good thing to want! But you can accomplish the same thing, and get other benefits, without forklifting DNSSEC into your zone configuration, by using SSH's certificate system. SSH certificates aren't X.509; they're much simpler.

[Borealid]

First, the DNSSec keys are TOFU so only the first connection is attack-able by someone in control of DNS zone root keys, and any other connections set off alarm bells.

Second, DNS lets you connect to someone else's host and get their public key without needing to find their (not your) CA.

Third, if you're not entering IP addresses by hand DNS forms some part of your systems trust no matter what you do. You're free to pin a domain's DNSSec KSK if you're very worried about someone in control of the whole Internet using that control to trick your first SSH connections.

[tptacek]

All SSH keys are TOFU! You can't mitigate the state-controlled PKI thing by saying it's TOFU; you get that property even without DNSSEC!

[Borealid]

I don't deny that, I was just pointing out that the threat model in question is someone in control of every DNS record somehow making a change that only affects new SSH connections. Because they control the record that says which KSK is okay for which domain, but presumably don't have your DNSSec private key.

The attack would be delicate to say the least .

Repeating, the purpose of DNS is for discovering sonething you don't administer. Like the SSH public key of a host, or the mailserver for a domain. CA certificates are for securing something you do administer.