On 2020-08-01 15:44:21 +0200 (+0200), Dr. Jens Harbott wrote: [...]
The SSHFP records document the keys for the SSH daemon listening on port 22 used for administrative access to the server, not the keys used by gerrit. AFAICT there is no way to specify keys for different ports in DNS, so when accessing gerrit via ssh, you will have to disable DNS verification in order to get rid of this warning. For openssh this would mean to set VerifyHostKeyDNS=no (which is also the default, so likely you must have overridden this somewhere), but I do get a similar error to yours if I set the option to "yes". [...]
This is going to be challenging to work around, I think. The cleanest solution is probably going to be separating the review.opendev.org service name from the system's FQDN in DNS. This way we could avoid publishing SSHFP RRs for the service name (or better still, publish different SSHFP RRs), but that means we'll need to separate out the ACME glue for DNS based X.509 cert renewals. That would likely not be too hard if we can just stop putting review01.opendev.org as one of the subject altnames. An alternative would be to sync the Gerrit mina-sshd API and system OpenSSH host keys, though that could present a degradation of security for the base system (maybe effectively not one we care about though?). Another alternative would be to just drop the SSHFP RRs for the Gerrit server, though that makes it inconsistent from the rest of our servers if we do. -- Jeremy Stanley