- if (options.verify_host_key_dns) {
- switch(verify_host_key_dns(host, hostaddr, host_key)) {
- case DNS_VERIFY_OK:
-#ifdef DNSSEC
- return 0;
-#else
- verified_host_key_dns = 1;
- break;
-#endif
- case DNS_VERIFY_FAILED:
- return -1;
- case DNS_VERIFY_ERROR:
- break;
- default:
- debug3("bad return value from verify_host_key_dns");
- break;
+ if (options.verify_host_key_dns &&
+ verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
+
+ if (flags & DNS_VERIFY_FOUND) {
+
+ if (options.verify_host_key_dns == 1 &&
+ flags & DNS_VERIFY_MATCH &&
+ flags & DNS_VERIFY_SECURE)
+ return 0;
+
+ if (flags & DNS_VERIFY_MATCH) {
+ matching_host_key_dns = 1;
+ } else {
+ warn_changed_key(host_key);
+ error("Update the SSHFP RR in DNS with the new "
+ "host key to get rid of this message.");
+ }