sshfp key verification
Hello!
I have configured my zone to use SSHFP resource records to make addition check of SSH keys. It work if connecting from linux and freebsd hosts:
%ssh -v -o "VerifyHostKeyDNS yes" -p 9922 example.com
OpenSSH_5.2p1 FreeBSD-20090522, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to example.com [1.1.1.1] port 9922.
debug1: Connection established.
debug1: identity file /home/user/.ssh/identity type -1
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
debug1: match: OpenSSH_6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2p1 FreeBSD-20090522
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes192-cbc hmac-ripemd160 none
debug1: kex: client->server aes192-cbc hmac-ripemd160 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: found 1 insecure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
debug1: checking without port identifier
The authenticity of host '[example.com]:9922 ([1.1.1.1]:9922)' can't be established.
RSA key fingerprint is 21:e5:5c:ca:cb:5c:af:3e:45:f6:7f:c7:74:92:4f:b7.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?
But when I try to connect to same host from Mac i have this message:
$ ssh -v -o "VerifyHostKeyDNS yes" -p 9922 example.com
OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug1: Applying options for *
debug1: Connecting to example.com [1.1.1.1] port 9922.
debug1: Connection established.
debug1: identity file /Users/user/.ssh/id_rsa type -1
debug1: identity file /Users/user/.ssh/id_rsa-cert type -1
debug1: identity file /Users/user/.ssh/id_dsa type -1
debug1: identity file /Users/user/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
debug1: match: OpenSSH_6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes192-cbc hmac-ripemd160 none
debug1: kex: client->server aes192-cbc hmac-ripemd160 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
DNS lookup error: general failure
debug1: checking without port identifier
The authenticity of host '[example.com]:9922 ([1.1.1.1]:9922)' can't be established.
RSA key fingerprint is 21:e5:5c:ca:cb:5c:af:3e:45:f6:7f:c7:74:92:4f:b7.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?
I tried to use same DNS server and it didn't help. Any ideas how to fix this?
iMac, Mac OS X (10.7.5)