On top of that you would need something to secure DNS. Like DNSSEC or at the very least use DNS with TLS or DNS over HTTP. None of these are typically enabled by default.
replyAnything that uses system-resolved is probably doing DNSSEC validation by default. It's becoming much more common.
replyAdditionally, as I mentioned, openssh itself has support for validating the DNSSEC signature even if your local resolver doesn't. I actually don't think it can use the standard resolver for SSHFP records at all, but I'm not sure.
Any idea if there's a standardized location, something like /.well-known/ssh?
reply