Something helpful for anyone looking into this later I found what seems a good testcase without requiring too much a local setup (of a dnssec dns server):
To get unbound (brute force) do:
apt install unbound
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo systemctl enable unbound-resolvconf
sudo systemctl enable unbound
# set 127.0.0.1
vim /etc/resolv.conf
Now this should show the ad flag as reported:
$ dig salsa.debian.org -t sshfp
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
This indeed (as reported), does show the changed behavior (clean LXD containers, just changes as mentioned above, edns0 set by default):
Bionic:
debug1: found 4 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
Focal:
debug1: found 4 insecure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
The authenticity of host 'salsa.debian.org (209.87.16.44)' can't be established.
ED25519 key fingerprint is SHA256:OAD3pGSwcODIthxF+zIRvPTZ8UCJAYI75E42XDfGr84.
Matching host key fingerprint found in DNS.
Something helpful for anyone looking into this later I found what seems a good testcase without requiring too much a local setup (of a dnssec dns server):
To get unbound (brute force) do:
apt install unbound
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo systemctl enable unbound-resolvconf
sudo systemctl enable unbound
# set 127.0.0.1
vim /etc/resolv.conf
Now this should show the ad flag as reported:
$ dig salsa.debian.org -t sshfp
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
$ ssh -v -o "VerifyHostKeyD NS=yes" <email address hidden>
This indeed (as reported), does show the changed behavior (clean LXD containers, just changes as mentioned above, edns0 set by default):
Bionic:
debug1: found 4 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
Focal: OAD3pGSwcODIthx F+zIRvPTZ8UCJAY I75E42XDfGr84.
debug1: found 4 insecure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
The authenticity of host 'salsa.debian.org (209.87.16.44)' can't be established.
ED25519 key fingerprint is SHA256:
Matching host key fingerprint found in DNS.