SSHFP Resource Record

Structure

<Name> [<TTL>] [<Class>] SSHFP <Algorithm> <Type> <Fingerprint>

<Name>

The domain name of the object to which the resource record belongs (optional)

<TTL>

Time to live (in seconds). Validity of Resource Records (optional)

<Class>

Protocol group to which the resource record belongs (optional)

<Algorithm>

Algorithm of Public Key (0=reserved, 1=RSA, 2=DSA, 3=ECDSA, 4=Ed25519)

<Type>

Type of fingerprint (0=reserved, 1=SHA-1, 2=SHA-256)

<Fingerprint>

Hexadecimal representation of the hash result

Example

host.example.com. SSHFP 2 1 123456789abcdef67890123456789abcdef67890

A client can determine in this example, the host with the DNS name host.example.com a DSA key used with the SHA-1 fingerprint "123456789abcdef67890123456789abcdef67890".

Use with OpenSSH Client

OpenSSH client can check the Fingerprint of the SSH Server and compare it to the DNS SSHFP record entry, but it is disabled by default. To force the check, you must use the VerifyHostKeyDNS ask option. You can put it in your ~/config file or directly in your /etc/ssh/ssh_config file. Example :

$ ssh -o "VerifyHostKeyDNS ask" host.example.com [...] Matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)?

Use ssh-keygen command

The ssh-keygen unix command can rapidly and directly generate all entry to insert in your DNS.

# ssh-keygen -r www.example.com www.example.com IN SSHFP 1 1 5f2f2e0676798a0273572bc77b99d6319a560fd5 www.example.com IN SSHFP 1 2 f5ae7764148c8f587996e5be3324286bdd1e9b935caaf3ff0ed3c9bbc0152097 www.example.com IN SSHFP 2 1 9b913ce5339f8761c26a2ed755156d4785042b2d www.example.com IN SSHFP 2 2 15477282e6a510a6c534e61f1df40d3750edcf86c6f4bf2ab5a964ccada7be3d www.example.com IN SSHFP 3 1 1262006f9a45bb36b1aa14f45f354b694b77d7c3 www.example.com IN SSHFP 3 2 e5921564252fe10d2dbafeb243733ed8b1d165b8fa6d5a0e29198e5793f0623b