One of the DNS records we support are Secure Shell fingerprint record (abbreviated as SSHFP record). SSHFP is described in RFC4255 written in 2006 by W. Griffin and Jakob Schlyter.
If you log in to your remote host and then run the command ssh-keygen -r example.com you should see something like the information below.
When you have multiple servers you can run ssh-keygen -r server1.example.com and so forth. Also remember to use DNSSEC since an attacker might be able to alter non DNSSEC DNS responses.
When you use ssh to login and verify the fingerprint the following message should be display on the client:
Matching host key fingerprint found in DNS.
Example SSHFP records
example.com IN SSHFP 4 1 1b69784a17572ee7e850107f6b3052699a953ad3
example.com IN SSHFP 4 2 b11000d176792edf9c7645aebb2ccdd4a6eb0cf856cadcb6b82ee18e333bef13
The numbers above 4 1 and 4 2 stands for:
- 4 1 = Ed25519 and SHA-1
- 4 2 = Ed25519 and SHA-256
In out case, key is Ed25519 so the value is 4.
1 - SHA-1
2 - SHA-256
Please sign in to leave a comment.