On 2020-09-14 13:00:58 +0100 (+0100), Sorin Sbarnea wrote:
I am in favor of doing a key sync as this would be the least intrusive for the user point of view.
Having the SSHFP is a good measure and improves security far more than the issue of having the key synchronized. [...]
We ended up solving it by having the SSHFP records for review.opendev.org reflect the mina-ssh based Gerrit API listener on 29418/tcp, while the SSHFP records for review01.opendev.org (the server's canonical name) correspond to the OpenSSH listener for the operating system itself on 22/tcp. It meant dropping the CNAME indirection for the service name and just giving it A/AAAA records directly, but that's not particularly inconvenient for us to manage (they're effectively adjacent lines in the same zone file anyway). -- Jeremy Stanley