DNS – Type SSHFP and TLSA Records

  DNS

This article discusses type SSHFP and TLSA DNS records in detail. For a general guide to DNS records and their settings in the customer administration panel, see the article DNS – Domain Records.

In this article, you will learn:

Type SSHFP Record

When establishing a connection with a server using the SSH protocol, the communication is authenticated by verifying the identity of the server using keys. The security of the connection thus depends on comparing the server’s fingerprint with the expected fingerprint of the server’s public key.

The SSHFP type DNS record (RFC 4255) gives SSH clients a new way to authenticate by comparing the fingerprint provided by the server against the fingerprint stored in the domain’s DNS zone. All the parameters of the SSHFP record must match – the algorithms used to generate the key and its fingerprint, as well as the key fingerprint itself.

The use of DNS SSHFP only makes sense if this record is signed by DNSSEC technology and therefore cannot be forged.

SSHFP Record Format

The SSHFP record consists of three parts: the number of the algorithm used to generate the key, the number of the algorithm for generating the fingerprint, and the fingerprint of the server’s public key itself.

Type TLSA Record

A DNS record of type TLSA (RFC 6698) specifies a service certificate for a combination of data – FQDN, protocol and port. Using the TLSA record, it is therefore possible to verify whether the certificate has not been altered on the way between the recipient and the sender.

TLSA Record Format

A TLSA record has a specific format for both name and data. The symbolic name of an SRV record usually has the form _port._protocol, e.g. _443._tcp.

The data of the TLSA record itself contains three parameters and then binary data for the certificate association: the domain name assignment number, the selector number, the number of the type of comparison of the certificate from the string against the data in the TLSA record and finally the data for comparison with the provided certificate.

WEDOS Sample SSHFP and TLSA records
Sample SSHFP and TLSA records

FAQ

Question: Do I have to use these records?
Answer: No, SSHFP and TLSA records aren’t mandatory.

Děkujeme za zpětnou vazbu!