Question on DNS spoofing and CheckHostIP



Hi,

I have a question on the IP address check performed by ssh clients as
part of key verification against entries in known_hosts file. ( i.e.
the additional checks that are turned on when we set 'CheckHostIP' to
'Yes' in ssh_config file).

As per the man page of ssh_config:

CheckHostIP
If this flag is set to "yes", ssh will additionally check the
host IP address in the known_hosts file. This allows ssh to
detect if a host key changed due to DNS spoofing. If the option
is set to "no", the check will not be executed. The default is
"yes".
<<<<<

However, I am not able to understand the situations in which this
check will be able to detect any DNS spoofing other what can be
detected by regular host key verification.

Consider this situation:
hostA is IP address is 1.2.3.4
known_hosts file in hostB has entry for hostA, as below:
hostA,1.2.3.4 ssh-rsa <key......>

From hostB, I execute
ssh myuser@hostA

Let us say, there is DNS spoofing and hence I get connected to a different host.

ssh will try to search in the known_hosts for an entry corresponding
to hostA. It tries to match the key found with what was given by the
remote end. There is key mismatch and user is informed.
In such a case, regular host name checking was enough to detect the
DNS spoofing. The IP address check did not even come into picture.

If at all, the remote end had the correct keys, then both host name
and IP address check would have passed. Here, the IP address check
does not give any additional security.

In summary, I am not able to understand the additional benefits in
doing 'CheckHostIP'.

Your comments on this would really help.

regards,
-Jithesh