SSHFP record
From Wikipedia, the free encyclopedia
A Secure Shell fingerprint record (abbreviated as SSHFP record) is a type of resource record in the Domain Name System (DNS) which identifies SSH keys that are associated with a host name. The acquisition of an SSHFP record needs to be secured with a mechanism such as DNSSEC for a chain of trust to be established.
Structure
<span class="nowrap">⟨Name⟩</span> [<span class="nowrap">⟨[[Time to Live|TTL]]⟩</span>] [<span class="nowrap">⟨Class⟩</span>] SSHFP <span class="nowrap">⟨[[Algorithm]]⟩</span> <span class="nowrap">⟨Type⟩</span> <span class="nowrap">⟨[[Hash function|Fingerprint]]⟩</span>
- ⟨Name⟩
- The name of the object to which the resource record belongs (optional)
- ⟨TTL⟩
- Time to live (in seconds). Validity of Resource Records (optional)
- ⟨Class⟩
- Protocol group to which the resource record belongs (optional)
- ⟨Algorithm⟩
- Algorithm (0: reserved, 1: RSA[1], 2: DSA[1], 3: ECDSA[2], 4: Ed25519[3], 6: Ed448[4])
- ⟨Type⟩
- Algorithm used to hash the public key (0: reserved, 1: SHA-1[1], 2: SHA-256[2])
- ⟨Fingerprint⟩
- Hexadecimal representation of the hash result, as text
Example
host.example.com. SSHFP 4 2 123456789abcdef67890123456789abcdef67890123456789abcdef123456789
In this example, the host with the domain name host.example.com
uses a Ed25519 key with the SHA-256 fingerprint 123456789abcdef67890123456789abcdef67890
. This output would be produced by a ssh-keygen -r host.example.com.
command on the target server by reading the existing default SSH host key (Ed25519).[5]
With the OpenSSH suite, the ssh-keyscan
utility can be used to determine the fingerprint of a host's key; using the -D
will print out the SSHFP record directly.[6]
See also
References
Wikiwand - on
Seamless Wikipedia browsing. On steroids.