Brew openssh is not working with SSHFP/DNSSEC records (High Sierra)

(Jonathan Duncan) #1

tags: #sshfp, #dnssec, #ldns, #openssh, #openssl

On macOS 10.13 (High Sierra) upgrading openssh to version 7.5p1 and higher causes a problem with LDNS. This is a known bug.

Exact message when using ssh -vvv to a remote system which relies on SSHFP:

debug3: verify_host_key_dns
DNS lookup error: general failure
debug3: hostkeys_foreach: reading file “~/.ssh/known_hosts”
debug3: hostkeys_foreach: reading file “~/.ssh/known_hosts”
The authenticity of host ‘’ can’t be established.

One interim fix is to use an older version (if you have one on your system) with brew by using this command (or similar):

brew switch openssh 7.4p1

I have brought up this issue with the people on the OpenSSH list:

sshfp/ldns still having issues in 7.6

In that thread it was suggested that using getdns instead of ldns could be a good alternate solution.

A related bug was opened and closed already:
“[OpenSSH] OpenSSH v7.5p1, Homebrew revision 1 Fails to Build on OS X ‘El Capitan’ v10.11.6”

I am only seeing this on High Sierra.

Anyone else running into this problem?

(Jonathan Duncan) #2

For the moment, openssh is now doing DNS lookups. I am not sure exactly how I achieved this. I did update the openssh.rb formula to make ldns a requirement. Then I ran brew install --build-from-source openssh. I also did several other things. So I cannot yet duplicate this. If/when I run into this again I will continue the troubleshooting process. Updates tend to break things. I also support other users running a similar setup, so I will likely have the opportunity to again.