See:
~$ grep ^VerifyHostKeyDNS .ssh/config VerifyHostKeyDNS yes ~$ ssh -v big.sokoll.com […] debug1: Server host key: ecdsa-sha2-nistp256 SHA256:YnFuxTWl/p1hVfB9GelWMQnpbNjF6FXBC+IQQWjnnng debug1: found 8 insecure fingerprints in DNS debug1: matching host key fingerprint found in DNS
Note the insecure!
The zone is DNSSSEC signed. This only happens to me on OSX, with the shipped ssh client and also with the one from macports. Works fine on linux, no insecure keys.
We need to use ldns:
~$ sudo port clean openssh ; sudo port install openssh +ldns
And voilá!
~$ ssh -v big.sokoll.com […] debug1: Server host key: ecdsa-sha2-nistp256 SHA256:YnFuxTWl/p1hVfB9GelWMQnpbNjF6FXBC+IQQWjnnng debug1: found 8 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS
Dunno about homebrew.