Does our OpenSSH in NetBSD-4 (OpenSSH_4.4 NetBSD_Secure_Shell-20061114,
OpenSSL 0.9.8d 28 Sep 2006) properly figure out when an SSHFP record is
secure or not? I've signed the cynic.net zone, added the appropriate
trusted-key stuff to my resolver's config, and now when I query the
local resolver for cynic.net records, I do indeed find the 'ad' flag
set. Yet ssh to the cynic.net hosts still says:

     debug1: found 1 insecure fingerprints in DNS

A cursory examination of the code and our header files seems to indicate
that it should, but in my case, it doesn't. Any thoughts?

Basically, I really want to get rid of having "role" hosts (such as
repo.cynic.net) in known_hosts files, becuase I'm sick of having to run
around and change these on a ton of machines when I move a role from one
host to another.

cjs
-- 
Curt Sampson            <cjs@cynic.net>             +81 90 7737 2974
   The power of accurate observation is commonly called cynicism
   by those who have not got it.    --George Bernard Shaw