DNS – SSHFP-Type Records

  DNS, DNS Theory, Domains and DNS

When connecting to a server using the SSH protocol, authentication occurs between the client and the server by giving the client a fingerprint of the server’s public key when the connection is initiated so that the client can verify the identity of the server.

The trustworthiness and security of the connection thus depends on whether the user actually compares the fingerprint provided by the server with the expected fingerprint of the server’s public key.

The introduction of the DNS SSHFP record (RFC 4255) creates a new way of authenticating for SSH clients by comparing the fingerprint provided by the server against the fingerprint stored in the DNS zone of the domain for the server’s FQDN. When comparing, all parameters of the SSHFP record must agree – the algorithm used to generate the key, the algorithm used to generate the key fingerprint, and finally the key fingerprint itself.

The introduction of the DNS SSHFP record (RFC 4255) creates a new way of authenticating for SSH clients by comparing the fingerprint provided by the server against the fingerprint stored in the DNS zone of the domain for the server’s FQDN. When comparing, all parameters of the SSHFP record must be correct – the algorithm used to generate the key, the algorithm used to generate the key fingerprint, and finally the key fingerprint itself.

The use of SSHFP DNS only makes sense if this record is signed by DNSSEC technology, thus ensuring that the record cannot be spoofed.

The Format of a SSHFP Record

A SSHFP Record Consists of the Following Three Parts:

  1. Algorithm Number Specification – the algorithm used to generate the public key
    0 – the reserved value
    1 – RSA
    2 – DSA
    3 – ECDSA
    4 – ED25519
  2. Fingerprint Type Specification – the message-digest algorithm used to generate the fingerprint
    0 – the reserved value
    1 – SHA-1
    2 – SHA-256
  3. Fingerprint – the fingerprint of the public server key

An Example of a SSHFP DNS Record

The following example demonstrates a SSHFP record carrying a fingerprint server with a FQDN of ssh.domain.tld

HOST             TTL      RR type    RR value
---------------------------------------------------------------------------------
ssh.domena.tld.  1800  IN SSHFP      2 1 123456789abcdef67890123456789abcdef67890