I found out that the way PuTTY stores the server finger print is different from the way OpenSSH does do it:
OpenSSH takes the hostname you provide, so foo and foo.example.net are two different ones, even if the search domains (in /etc/resolv.conf for example) makes it so that foo is actually foo.example.net.
PuTTY on the other hand looks at the DNS name, so if your foo which before pointed to foo.example.net now suddenly points to the CNAME of foo.example.net which points to bar.example.net, it will complain.
It will not properly complain. It will still say "I don't know the server fingerprint for foo", but at the top left of the PuTTY window title bar it will show "bar.example.net" instead of the expected name "foo.example.net" and that is the only indication on what went wrong.
So much for a "Let's prepare this change in DNS so that it will be transparent for users" 🙂
#dns #putty #openssh #ssh