# [1]: http://cseweb.ucsd.edu/~mihir/papers/oem.html
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512
# Disable DSA host keys because they are weak (only 1024 bit) and elliptic
-# curves. I don't need certificates, therefore disables those algorithms as
+# curves. I don't need certificates, therefore disable those algorithms as
# well (*-cert-*).
HostKeyAlgorithms ssh-rsa
CheckHostIP yes
# Ask before adding any host keys to ~/.ssh/known_hosts (default).
StrictHostKeyChecking ask
-# Don't trust host keys from DNS' SSHFP resource records (default).
- VerifyHostKeyDNS no
+# Check host keys from DNS' SSHFP resource records but ask apply
+# StrictHostKeyChecking before trusting them.
+ VerifyHostKeyDNS ask