===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshconnect.c,v
retrieving revision 1.139
retrieving revision 1.140
diff -u -r1.139 -r1.140
--- src/usr.bin/ssh/sshconnect.c	2003/04/14 14:17:50	1.139
+++ src/usr.bin/ssh/sshconnect.c	2003/05/14 18:16:21	1.140
@@ -13,7 +13,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.139 2003/04/14 14:17:50 markus Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.140 2003/05/14 18:16:21 jakob Exp $");
 
 #include <openssl/bn.h>
 
@@ -33,6 +33,10 @@
 #include "misc.h"
 #include "readpass.h"
 
+#ifdef DNS
+#include "dns.h"
+#endif
+
 char *client_version_string = NULL;
 char *server_version_string = NULL;
 
@@ -789,10 +793,27 @@
 	return -1;
 }
 
+/* returns 0 if key verifies or -1 if key does NOT verify */
 int
 verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
 {
 	struct stat st;
+
+#ifdef DNS
+	if (options.verify_host_key_dns) {
+		switch(verify_host_key_dns(host, hostaddr, host_key)) {
+		case DNS_VERIFY_OK:
+			return 0;
+		case DNS_VERIFY_FAILED:
+			return -1;
+		case DNS_VERIFY_ERROR:
+			break;
+		default:
+			debug3("bad return value from verify_host_key_dns");
+			break;
+		}
+	}
+#endif /* DNS */
 
 	/* return ok if the key can be found in an old keyfile */
 	if (stat(options.system_hostfile2, &st) == 0 ||