SSHFP record
A Secure Shell fingerprint record (abbreviated as SSHFP record) is a type of resource record in the Domain Name System (DNS) which identifies SSH keys that are associated with a host name. The acquisition of an SSHFP record needs to be secured with a mechanism such as DNSSEC for a chain of trust to be established.
Structure
⟨Name⟩ [⟨TTL⟩] [⟨Class⟩] SSHFP ⟨Algorithm⟩ ⟨Type⟩ ⟨Fingerprint⟩
- ⟨Name⟩
- The name of the object to which the resource record belongs (optional)
- ⟨TTL⟩
- Time to live (in seconds). Validity of Resource Records (optional)
- ⟨Class⟩
- Protocol group to which the resource record belongs (optional)
- ⟨Algorithm⟩
- Algorithm (0: reserved, 1: RSA,[1] 2: DSA,[1] 3: ECDSA,[2] 4: Ed25519,[3] 6: Ed448[4])
- ⟨Type⟩
- Algorithm used to hash the public key (0: reserved, 1: SHA-1,[1] 2: SHA-256[2])
- ⟨Fingerprint⟩
- Hexadecimal representation of the hash result, as text
Example
host.example.com.  SSHFP 4 2 123456789abcdef67890123456789abcdef67890123456789abcdef123456789
In this example, the host with the domain name host.example.com uses a Ed25519 key with the SHA-256 fingerprint 123456789abcdef67890123456789abcdef67890.
This output would be produced by a ssh-keygen -r host.example.com. command on the target server by reading the existing default SSH host key (Ed25519).[5] In newer releases of the OpenSSH suite, ssh-keyscan -D $HOSTNAME[6] can be used to produce a similar result, by connecting to the host over the network.
See also
References
- ^ a b c Griffin, Wesley; Schlyter, Jakob (January 2006). "RFC 4255 — Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints". Retrieved 2017-12-28.
- ^ a b Surý, Ondřej (April 2012). "RFC 6594 — Use of the SHA-256 Algorithm with RSA, Digital Signature Algorithm (DSA), and Elliptic Curve DSA (ECDSA) in SSHFP Resource Records". Retrieved 2017-12-28.
- ^ Moonesamy, S. (March 2015). "RFC 7479 — Using Ed25519 in SSHFP Resource Records". Retrieved 2017-12-28.
- ^ Harris, Ben; Velvindron, Loganaden (February 2020). "RFC 8709 — Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol". Retrieved 2021-10-16.
- ^ "ssh-keygen(1) - OpenBSD manual pages". man.openbsd.org. Retrieved 2025-05-30.
- ^ "ssh-keyscan(1) - OpenBSD manual pages". man.openbsd.org. Retrieved 2025-05-30.