Ssh won't use SSHFP fingerprints available via DNSSEC, because it doesn't turn on DNSSEC to request them. Around line 70 in openbsd-compat/getrrsetbyname.c, we have the following: /* to avoid conflicts where a platform already has _res */ #ifdef _res # undef _res #endif #define _res _compat_res struct __res_state _res; This defines a global, _compat_res, used only by OpenSSH (at least on NetBSD), and makes _res be that instead of the "real" _res (however that might be defined on various platforms). _res is used only in the getrrsetbyname function, which never initializes it in any way, but tries to act as if it's using the real _res. So it calls init_res every time: if ((_resp->options & RES_INIT) == 0 && res_init() == -1) { and it never turns on DNSSEC, even when RES_USE_EDNS0 is set, since it's checking for it in the wrong place: if (_resp->options & RES_USE_EDNS0) _resp->options |= RES_USE_DNSSEC; The fix is to remove the code that redefines _res, or at least #ifdef it for only those platforms that need this for some reason.
This was also mentioned on the mailing list, however it has not been confirmed whether or not the patch resolves the problem on NetBSD. http://marc.info/?l=openssh-unix-dev&m=117390608117235
Created attachment 1258 [details] Check for global _res in configure. Note that you will need to run "autoreconf" to rebuild configure before configuring and building.
The patch has been applied to both -HEAD and the 4.6 stable branch so it will be in the next release. Could you please test a snapshot from ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ (20070430 or later) and confirm that the problem is indeed resolved for you? Thanks.
Close resolved bugs after release.