I’m sure at this point everyone heard that GitHub updated their RSA SSH host key.
This is a common issue, say you re-installed a server at the same IP/hostname. No problem, you remove a line and put in another one.
But honestly, I thought that GitHub had SSHFP records in their DNS.
$ dig SSHFP github.com +short | wc
0 0 0
Not so much… But then again, looks like they DO need to sign their zone first.
$ whois github.com | grep DNSSEC
DNSSEC: unsigned
DNSSEC: unsigned
I have to say, using SSHFP has changed my life. Obviously there are some issues (Windows and macOS, specifically), but if you’re running a normal, modern operating system (hello BSDs, hello Linux) then it’s like magic!
I just setup one for our hackerspace!
$ whois hackerspace.am | grep DS
DNS servers (zone signed, 1 DS record):
$ dig hackerspace.am SSHFP +short | wc -l
6
Anyway, I’m sure many CI/CD pipelines are going crazy because of this… Good luck everyone!