Hubbry Logo
SSHFP recordSSHFP recordMain
Open search
SSHFP record
Community hub
SSHFP record
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
SSHFP record
SSHFP record
SSHFP record
View on Wikipedia
from Wikipedia

A Secure Shell fingerprint record (abbreviated as SSHFP record) is a type of resource record in the Domain Name System (DNS) which identifies SSH keys that are associated with a host name. The acquisition of an SSHFP record needs to be secured with a mechanism such as DNSSEC for a chain of trust to be established.

Structure

[edit]
⟨Name⟩ [TTL] [⟨Class⟩] SSHFP Algorithm ⟨Type⟩ Fingerprint
⟨Name⟩
The name of the object to which the resource record belongs (optional)
⟨TTL⟩
Time to live (in seconds). Validity of Resource Records (optional)
⟨Class⟩
Protocol group to which the resource record belongs (optional)
⟨Algorithm⟩
Algorithm (0: reserved, 1: RSA,[1] 2: DSA,[1] 3: ECDSA,[2] 4: Ed25519,[3] 6: Ed448[4])
⟨Type⟩
Algorithm used to hash the public key (0: reserved, 1: SHA-1,[1] 2: SHA-256[2])
⟨Fingerprint⟩
Hexadecimal representation of the hash result, as text

Example

[edit]
host.example.com.  SSHFP 4 2 123456789abcdef67890123456789abcdef67890123456789abcdef123456789

In this example, the host with the domain name host.example.com uses a Ed25519 key with the SHA-256 fingerprint 123456789abcdef67890123456789abcdef67890.

This output would be produced by a ssh-keygen -r host.example.com. command on the target server by reading the existing default SSH host key (Ed25519).[5] In newer releases of the OpenSSH suite, ssh-keyscan -D $HOSTNAME[6] can be used to produce a similar result, by connecting to the host over the network.

See also

[edit]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

SSHFP record

View on Grokipedia
from Grokipedia
The SSHFP (Secure Shell Fingerprint) record is a specialized resource record in the (DNS) designed to publish fingerprints of (SSH) public host keys, allowing clients to verify the authenticity of an SSH server's identity during connection establishment, particularly when secured by DNS Security Extensions (DNSSEC). This record addresses a common vulnerability in SSH deployments where users might accept unverified host keys, potentially enabling man-in-the-middle attacks, by providing an out-of-band mechanism to distribute and validate key fingerprints directly from the DNS infrastructure. Defined in RFC 4255, published in January 2006 by the (IETF), the SSHFP record has a type code of 44 and is intended for use in environments where DNSSEC is deployed to ensure the integrity and authenticity of the published s. The record's structure consists of three main fields in its resource data (RDATA): an algorithm number identifier (such as 1 for RSA, 2 for DSA, 3 for ECDSA, 4 for Ed25519, or 6 for Ed448), a type (such as 2 for SHA-256 hashing), and the actual value represented as a sequence of digits. Subsequent standards, including RFC 6594 (2012) for SHA-256 fingerprints and ECDSA support, RFC 7479 (2015) for Ed25519 algorithm support (type 4), and RFC 8709 (2020) for Ed448 support (type 6), have extended the original specification to accommodate modern cryptographic practices and stronger hash functions. Note that (type 1) fingerprints are deprecated due to weaknesses and will be ignored by recent versions (as of October 2025). In practice, SSH clients query for SSHFP records associated with the server's upon initiating a connection; if a matching record is found and validated via DNSSEC, the client's computed fingerprint of the presented host key is compared against the published one to confirm legitimacy. This approach enhances SSH without relying solely on manual or known-hosts files, though remains limited due to varying DNSSEC and verification support in SSH implementations, including recent vulnerabilities when enabled (e.g., CVE-2025-26465). Administrators can generate SSHFP records using tools like [ssh-keygen](/page/Ssh-keygen) or ssh-keyscan based on existing host keys, publishing them alongside other DNS records for the target domain.

Introduction

Definition and Purpose

The SSHFP (Secure Shell Fingerprint) resource record is a type of DNS resource record with type code 44 that enables the publication of cryptographic fingerprints derived from an SSH public host key, associating them directly with a in the DNS hierarchy. This record serves as a standardized mechanism for administrators to securely distribute verifiable key information without relying on manual out-of-band methods. The primary purpose of the SSHFP record is to facilitate the authentication of an SSH server's host key by allowing clients to compare the presented key against the pre-published obtained from DNS, thereby detecting potential discrepancies during connection establishment. By providing this automated verification channel, SSHFP records help mitigate man-in-the-middle (MITM) attacks, where an adversary might impersonate the legitimate server with a forged key, as the client can cross-check the key's integrity against the DNS-published value before proceeding with the session. To ensure the reliability of this process, SSHFP records must be protected by DNSSEC (DNS Security Extensions) signatures, which validate the record's authenticity and prevent tampering or spoofing in the DNS resolution path. This integration with the SSH protocol occurs at the host key verification stage, where DNSSEC-validated SSHFP data supplements the standard SSH without altering the core protocol flow.

History

The SSHFP record was first proposed and standardized in RFC 4255, published by the (IETF) in January 2006, under the title "Using DNS to Securely Publish (SSH) Key Fingerprints." Authored by J. Schlyter and W. Griffin, this document outlined a method for publishing cryptographic fingerprints of SSH public host keys in the (DNS), leveraging DNS Security Extensions (DNSSEC) for integrity and authenticity. The primary motivation stemmed from the limitations of early SSH deployments, where host keys were typically exchanged manually or via insecure channels, leaving systems vulnerable to man-in-the-middle attacks and key substitution. By enabling automated, DNS-based distribution and verification of key fingerprints, the SSHFP record addressed these security gaps, allowing clients to confirm a server's identity without prior out-of-band coordination. Initial implementations followed closely, with incorporating support for the record type in version 9.3.2 released in March 2006, and adding client-side verification via the VerifyHostKeyDNS option starting in version 4.2p1 in September 2006. Subsequent refinements expanded compatibility with evolving cryptographic standards. RFC 6594, issued in April 2012, introduced support for (ECDSA) keys and SHA-256 fingerprints to enhance security against emerging threats. This was followed by RFC 7479 in March 2015, which added the Ed25519 algorithm to the SSHFP framework, reflecting the broader shift toward efficient, high-security in SSH. Adoption accelerated post-2010 alongside the maturation of DNSSEC, as resolver libraries and SSH clients increasingly integrated validation capabilities, though deployment remained niche due to DNSSEC's gradual rollout. As of 2025, SSHFP records enjoy widespread support in modern DNS resolvers such as (all versions since 9.3), Unbound, and , as well as in SSH clients including (versions 4.2 and later), though in , the VerifyHostKeyDNS option must be explicitly enabled as it is disabled by default. No major updates or pending IETF RFCs have been issued since 2015, with focus shifting to deprecation of legacy elements like SHA-1 fingerprints in ongoing releases.

Record Format

Fields

The SSHFP resource record is a DNS resource record type with numeric identifier 44, typically used in the Internet (IN) class, and consists of resource data (RDATA) composed of three fields that encode information about an SSH public host key fingerprint. In the wire format, the RDATA is a sequence of octets structured as follows: the first field is the algorithm number, a single octet representing an unsigned integer that identifies the public key algorithm used (for example, 1 for RSA or 2 for DSA); the second field is the fingerprint type, also a single octet unsigned integer specifying the hashing algorithm applied to generate the fingerprint (for example, 1 for SHA-1); and the third field is the fingerprint itself, a variable-length octet string containing the binary hash value, whose length is determined by the fingerprint type (for example, 20 octets for SHA-1). The total length of the RDATA is therefore 2 octets plus the length of the fingerprint.
FieldSize (Octets)TypeDescription
Algorithm Number1Unsigned IntegerIdentifies the public key algorithm (e.g., 1 = RSA, 2 = DSA).
Fingerprint Type1Unsigned IntegerSpecifies the hash algorithm for the (e.g., 1 = ).
FingerprintVariableOctet StringBinary hash of the public key, length based on type (e.g., 20 bytes for ).
In the zone file presentation format, the SSHFP record is represented textually as a domain name followed by the type (SSHFP), class (IN), time-to-live (TTL), and RDATA consisting of the algorithm number, fingerprint type, and the fingerprint encoded as a sequence of hexadecimal digits without spaces or colons (for example, example.com. IN SSHFP 1 1 abcdef1234567890fedcba0987654321abcdef12).

Algorithm Identifiers

The SSHFP record employs two distinct sets of algorithm identifiers: one for the public key algorithm and another for the fingerprint type. These numeric values are encoded in the third and fourth fields of the record, respectively, and are standardized to ensure across SSH implementations. The identifiers are maintained in the IANA "DNS SSHFP Resource Record Parameters" registry, which is updated through IETF review procedures via RFC publications. Public key algorithm numbers specify the cryptographic algorithm used for the SSH host key. The assigned values are as follows: 0 is reserved; 1 denotes RSA; 2 denotes DSA (also referred to as DSS); 3 denotes ECDSA; 4 denotes Ed25519; and 6 denotes Ed448, with value 5 currently unassigned. These assignments originated in RFC 4255 for the initial types (0–2) and were extended in subsequent RFCs, such as RFC 6594 for ECDSA, RFC 7479 for Ed25519, and RFC 8709 for Ed448. Fingerprint type numbers identify the hash algorithm applied to the public key to produce the . The current assignments are: 0 is reserved; 1 denotes SHA-1; and 2 denotes SHA-256. While SHA-1 (type 1) remains defined, it is vulnerable to collision attacks and is being deprecated in major implementations like , with plans announced in October 2025 for ignoring SHA-1 SSHFP records and generating only SHA-256 equivalents in a future release after version 10.2. SHA-256 (type 2) was introduced in RFC 6594 to address these weaknesses. SSH clients SHOULD support multiple fingerprint types for robustness. When both SHA-1 and SHA-256 records are present for the same public key algorithm, clients MUST prefer SHA-256 and reject the key if the SHA-256 fingerprint does not match, without falling back to SHA-1 to mitigate downgrade attacks.
Public Key AlgorithmFingerprint TypeCommon Use CaseReference
RSA (1)SHA-256 (2)Legacy RSA keys with modern hashing for broad compatibilityRFC 4255, RFC 6594
ECDSA (3)SHA-256 (2)Elliptic curve keys with recommended hashRFC 6594
Ed25519 (4)SHA-256 (2)High-performance curve25519-based keysRFC 7479
Ed448 (6)SHA-256 (2)Larger curve448-based keys for enhanced securityRFC 8709

Implementation

Generating Records

Generating SSHFP records involves extracting the server's public host keys and computing their fingerprints according to the specifications in RFC 4255, which defines the fingerprint as a message digest of the public key blob using a specified hash algorithm. The public host keys are typically stored in files such as /etc/ssh/ssh_host_rsa_key.pub, /etc/ssh/ssh_host_ecdsa_key.pub, and /etc/ssh/ssh_host_ed25519_key.pub on systems running OpenSSH. To compute the fingerprint manually, first extract the base64-encoded public key blob from the .pub file (excluding the key type prefix like "ssh-rsa "), decode it to binary, apply the hash function (e.g., SHA-256 via openssl dgst -sha256 -binary), and encode the resulting digest as a hexadecimal string for the SSHFP record. The primary tool for generating SSHFP records is OpenSSH's ssh-keygen utility, which automates the fingerprint computation and formats the output as DNS resource records. The command ssh-keygen -r hostname -f /path/to/public_key.pub prints SSHFP records for the specified and key file, defaulting to both SHA-1 and SHA-256 fingerprints if no hash is selected via the -O hash=algorithm option. For example, running this on an RSA host key produces records like hostname. IN SSHFP 1 2 <SHA-256-hex-fingerprint>, where 1 denotes the RSA algorithm and 2 denotes SHA-256. This tool ensures compliance with RFC 4255 by handling the public key parsing and digest calculation directly. Alternative methods include manual computation using 's dgst command for custom hashing needs, such as echo -n 'base64-decoded-key-blob' | [openssl](/page/OpenSSL) dgst -sha256 -hex, followed by assembling the SSHFP record manually with the algorithm identifiers. Another option is leveraging ssh-keyscan for remote key retrieval and direct SSHFP output, using ssh-keyscan -D [hostname](/page/Hostname) to fetch keys over and print formatted records without needing local access to the key files. Once generated, SSHFP records must be integrated into the DNS zone file for publication, requiring DNSSEC signing to ensure authenticity. For , edit the (e.g., example.com.zone) to append the records in standard syntax, such as hostname. 3600 IN SSHFP 1 2 <fingerprint>, then sign the zone using dnssec-signzone -o example.com example.com.zone and reload the server with rndc reload. In , add records via the or pdnsutil tool (e.g., pdnsutil add-record example.com hostname SSHFP 3600 1 2 <fingerprint>), enable DNSSEC with pdnsutil secure-zone example.com, and the server automatically generates and serves signatures. DNSSEC integration is essential, as unsigned zones undermine the security value of SSHFP records. Best practices recommend generating SSHFP records for multiple public key algorithms (e.g., RSA, ECDSA, Ed25519) and hash types, prioritizing SHA-256 for while including as a fallback for legacy compatibility, resulting in up to six records per host to maximize client support. Records should be updated promptly upon host key rotation, which occurs during server reconfiguration or incidents; regenerate using the same tools and propagate changes to DNS to avoid verification failures. For automation, especially in large environments, scripts can invoke ssh-keyscan -D to collect keys from remote hosts and pipe output directly into DNS management tools or zone files, ensuring consistent updates across multiple servers without manual intervention.

Client Verification

SSH clients utilize SSHFP to enhance host key verification during connection establishment, providing an additional layer of assurance against man-in-the-middle attacks when DNSSEC is deployed. In , this feature is enabled via the command-line option -o VerifyHostKeyDNS=yes or by setting VerifyHostKeyDNS yes in the ~/.ssh/config or /etc/ssh/ssh_config file. When activated, the client performs DNS lookups for SSHFP associated with the target hostname before accepting the server's presented public key. The verification process begins with the client querying the DNS for SSHFP resource records (RR type 44) under the specified . Upon receiving the records, the client extracts the algorithm identifier and from each SSHFP entry and compares them against the corresponding values derived from the server's offered host key. A successful verification requires both an exact match in algorithm and , as well as successful DNSSEC validation of the records via a trusted (e.g., SIG RR). If these conditions are met, the client proceeds with the connection, treating the key as authenticated. OpenSSH supports three modes for VerifyHostKeyDNS: no (default, disables DNS verification), yes (implicitly trusts matching secure DNS fingerprints without prompting), and ask (informs the user of the match status and requires confirmation for mismatches or insecure records). In yes mode, a matching secure record allows automatic acceptance, while any mismatch or absence of a secure match triggers fallback to standard host key checking via the known_hosts file, potentially prompting the user based on StrictHostKeyChecking. For insecure (unsigned or unvalidated) DNS responses, the client treats them equivalently to the ask mode, warning the user and requiring manual intervention to avoid accepting potentially tampered keys. Support for SSHFP verification is available in since version 5.1p1 (2008), making it the primary implementation for systems. Other clients include libraries such as libssh, which integrate SSHFP lookups through options for custom applications. offers limited support via third-party plugins or forks like KiTTY, though native implementation remains on its wishlist without full integration as of recent releases. Note that in OpenSSH versions 6.8p1 through 9.9p1, when VerifyHostKeyDNS is enabled, a allowed man-in-the-middle attacks (CVE-2025-26465). This was fixed in OpenSSH 9.9p2 (February 2025). Users should update to 9.9p2 or later to mitigate this vulnerability. Troubleshooting common issues involves handling multiple SSHFP records, where the client accepts the connection if at least one record matches the server's key and passes DNSSEC validation; non-matching records are ignored without rejection. For IPv4 and resolutions, the client queries SSHFP records using the canonical hostname regardless of the address family, ensuring consistency across dual-stack environments. If DNS resolution fails, no records are found, or validation does not pass, the client falls back to manual verification using the local known_hosts file or user prompts, preventing connection denial but alerting to potential risks. For stricter configurations, administrators can combine VerifyHostKeyDNS with the UpdateHostKeys option set to yes in ssh_config, enabling automatic updates to the known_hosts file with verified keys from the server (via the [email protected] extension, supported since 6.8). This setup automates while enforcing DNS-based validation, though UpdateHostKeys defaults to no when VerifyHostKeyDNS is enabled unless explicitly overridden; care must be taken to ensure DNSSEC coverage to maintain security.

Examples

Zone File Entry

SSHFP records in DNS zone files follow the standard syntax for resource records, specifying the , (TTL), class (typically IN for ), record type (SSHFP), algorithm identifier, type, and the value without spaces or colons. A basic example for an RSA public key using SHA-256 fingerprinting might appear as follows, with a common TTL of 3600 seconds (1 hour) to balance freshness and load:

example.com. 3600 IN SSHFP 1 2 1234567890abcdef1234567890abcdef1234567890abcdef12345678

example.com. 3600 IN SSHFP 1 2 1234567890abcdef1234567890abcdef1234567890abcdef12345678

Here, 1 denotes the RSA algorithm and 2 indicates SHA-256 hashing, as defined in RFC 6594, which extends the original SSHFP specification to support stronger digests. Zone administrators often publish multiple SSHFP records for the same hostname to support different key algorithms, allowing clients to verify whichever key the server presents. For instance, one record for an Ed25519 key with SHA-256 and another for RSA with (though is deprecated for new deployments) could be:

example.com. 3600 IN SSHFP 4 2 abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890 example.com. 3600 IN SSHFP 1 1 1234567890abcdef1234567890abcdef12345678

example.com. 3600 IN SSHFP 4 2 abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890 example.com. 3600 IN SSHFP 1 1 1234567890abcdef1234567890abcdef12345678

The Ed25519 algorithm (4) is specified in RFC 7479, enabling efficient . When integrated with DNSSEC for authenticity, SSHFP records are accompanied by DNSKEY records publishing the zone-signing public key and RRSIG records providing cryptographic signatures over the SSHFP data. A simplified example zone snippet, assuming a 256-bit ECDSA DNSSEC key (algorithm 13), might include:

example.com. 3600 IN DNSKEY 257 3 13 AwEAA... (base64-encoded public key) example.com. 3600 IN SSHFP 1 2 1234567890abcdef1234567890abcdef1234567890abcdef12345678 example.com. 3600 IN RRSIG SSHFP 13 2 3600 20251213120000 20251113120000 12345 example.com. AwEAA... (signature)

example.com. 3600 IN DNSKEY 257 3 13 AwEAA... (base64-encoded public key) example.com. 3600 IN SSHFP 1 2 1234567890abcdef1234567890abcdef1234567890abcdef12345678 example.com. 3600 IN RRSIG SSHFP 13 2 3600 20251213120000 20251113120000 12345 example.com. AwEAA... (signature)

This setup ensures the fingerprints cannot be altered in transit, per DNSSEC standards in RFC 4034. Common syntax pitfalls in BIND zone files include inserting spaces or colons within the hexadecimal fingerprint, which invalidates the record, or using textual mnemonics (e.g., "RSA" instead of 1) instead of numeric identifiers, as BIND requires strict adherence to the wire format presentation. Proper spacing between fields—single spaces separating the algorithm, fingerprint type, and fingerprint—is essential for parsing.

Command-Line Generation

SSHFP records can be generated from the command line using the ssh-keygen utility included in distributions. A basic example involves specifying a and the path to a public host key file, which produces DNS resource records with fingerprints for both and SHA-256 algorithms by default. For instance, the command ssh-keygen -r example.com -f /etc/ssh/ssh_host_rsa_key.pub outputs multiple SSHFP lines corresponding to the RSA public key's fingerprints, formatted for direct inclusion in a . To customize the generation, the public key type is selected by providing the appropriate key file (e.g., /etc/ssh/ssh_host_ed25519_key.pub for Ed25519), while the hash algorithm can be specified using the -O option. For example, ssh-keygen -r example.com -O hashalg=sha256 -f /etc/ssh/ssh_host_ed25519_key.pub generates only the SHA-256 fingerprint record for the Ed25519 key. The fingerprint types are implicit based on the selected hash, adhering to the algorithm identifiers defined in RFC 4255. For scenarios where direct access to the key file is unavailable, such as on untrusted networks, public keys can be retrieved remotely using ssh-keyscan and piped to ssh-keygen. The command ssh-keyscan -t rsa example.com | ssh-keygen -r example.com -f - fetches the RSA host key and generates the corresponding SSHFP records, with -f - indicating input from standard input. However, this method requires manual verification of the retrieved keys to mitigate man-in-the-middle risks, as ssh-keyscan does not perform authentication. The output from these commands can be redirected to a file for easy integration into files. For example, ssh-keygen -r example.com -f /etc/ssh/ssh_host_rsa_key.pub > sshfp_records.txt saves the SSHFP lines to sshfp_records.txt, allowing administrators to review and append them as needed. These tools are natively available in on and macOS systems. On Windows, ssh-keygen and related utilities are provided through the OpenSSH for Windows feature, installable via Windows Settings or , enabling the same command-line generation on and later versions.

Security Considerations

Benefits

SSHFP records enhance security in SSH deployments by automating the verification of host public keys against pre-published fingerprints in DNS, thereby reducing reliance on manual maintenance of known_hosts files and mitigating man-in-the-middle (MITM) attacks when combined with DNSSEC validation. This binding of key fingerprints to domain names via cryptographically signed DNS records ensures that clients can authenticate servers without exchanges, preventing unauthorized key substitutions during initial connections. The centralized distribution of SSHFP records through DNS infrastructure supports scalability, particularly in large-scale or dynamic IP environments where host keys must be managed across numerous systems without individual configuration updates. Tools like and ssh-keyscan facilitate bulk generation and publication, making it feasible to deploy records for fleets of servers whose IP addresses may change frequently, as the records are tied to stable domain names rather than transient IPs. SSHFP records offer convenience by eliminating the need for manual key fingerprint exchanges or trust-on-first-use prompts, integrating directly into standard SSH client workflows for seamless verification. This automation minimizes user intervention and potential errors, such as accepting tampered keys, while supporting troubleshooting through straightforward DNS lookups. The immutability of DNSSEC-signed SSHFP records enables auditability, providing a tamper-evident historical log of host key fingerprints that supports compliance verification and forensic analysis of SSH access patterns. Empirical analysis from 2022 indicates low overall adoption, with SSHFP present in only about 1 in domains, yet demonstrates high effectiveness in setups where DNSSEC is applied for preventing MITM risks at minimal administrative cost, though less than 50% of analyzed were secured with DNSSEC.

Limitations and Best Practices

SSHFP records rely heavily on DNSSEC for their security guarantees, as unsigned DNS zones offer no protection against tampering or spoofing of the published fingerprints. Without DNSSEC validation, an attacker could forge SSHFP records to facilitate man-in-the-middle attacks during SSH connections. Additionally, if the DNS infrastructure itself is compromised—such as through or authoritative server breaches—the integrity of SSHFP records is undermined, potentially allowing substitution of malicious host keys. Furthermore, SSHFP records do not inherently support automated key rotation; any change to the SSH host key requires manual or scripted updates to the corresponding DNS records to maintain verification. A 2025 study of German domains reported continued low adoption, with SSHFP present in only 0.04% of subdomains, and found that 50% of SSHFP-using subdomains were misconfigured, including mismatched fingerprints or missing DNSSEC signatures. Regarding algorithm choices, the use of for fingerprint generation is discouraged due to demonstrated collision vulnerabilities that could enable attackers to craft deceptive . Instead, SHA-256 or stronger hash algorithms should be preferred, as they provide greater resistance to such attacks and are recommended for new deployments to mitigate downgrade risks. Adoption of SSHFP records faces several barriers, including incomplete support across SSH client implementations—many, such as , require explicit configuration to enable verification, which is not enabled by default. The administrative overhead associated with maintaining DNSSEC-signed zones further hinders widespread use, as it demands coordination between SSH server administrators and managers, along with ongoing validation of signatures. Large-scale analyses indicate that only about 1 in 10,000 domains deploy SSHFP records, with over half of those lacking DNSSEC protection. To maximize the effectiveness of SSHFP records, zones must always be signed with DNSSEC to ensure authenticity. Administrators should publish fingerprints using multiple hash types (e.g., both SHA-256 and, if necessary, as a fallback) to support diverse clients while prioritizing stronger algorithms. Regular monitoring for host key changes is essential, with automated tools used to update records promptly upon rotation. Verification should be tested in staging environments before production rollout to confirm compatibility and correct DNSSEC chaining. Finally, SSHFP should be combined with strict host key checking policies in client configurations, such as setting UpdateHostKeys no to prevent automatic acceptance of unverified keys. Looking ahead, the emergence of post-quantum cryptographic algorithms, such as ML-DSA, will necessitate updates to the IANA registry for SSHFP algorithm identifiers to accommodate quantum-resistant signatures.

References

  1. https://datatracker.ietf.org/doc/html/rfc4255
  2. https://www.rfc-editor.org/rfc/rfc6594.html
  3. https://www.rfc-editor.org/rfc/rfc7479.html
  4. https://www.rfc-editor.org/rfc/rfc8709.html
  5. https://www.openssh.com/releasenotes.html
  6. https://nvd.nist.gov/vuln/detail/CVE-2025-26465
  7. https://www.rfc-editor.org/rfc/rfc4255.html
  8. https://www.openssh.com/txt/release-4.2
  9. https://blog.apnic.net/2022/12/02/improving-sshs-security-with-sshfp-dns-records/
  10. https://www.isc.org/bind/
  11. https://www.openwall.com/lists/oss-security/2025/10/06/1
  12. https://www.iana.org/assignments/dns-sshfp-rr-parameters
  13. https://www.openssh.com/txt/release-10.1
  14. https://datatracker.ietf.org/doc/html/rfc6594
  15. https://www.man7.org/linux/man-pages/man1/ssh-keygen.1.html
  16. https://stackoverflow.com/questions/66239484/obtain-the-fingerprint-of-an-openssl-rsa-public-key
  17. https://.apnic.net/2022/12/02/improving-sshs-security-with-sshfp-dns-records/
  18. https://bind9.readthedocs.io/en/latest/dnssec-guide.html
  19. https://man.openbsd.org/ssh_config
  20. https://man7.org/linux/man-pages/man1/ssh-keygen.1.html
  21. https://man7.org/linux/man-pages/man1/ssh-keyscan.1.html
  22. https://www.openssh.com/portable.html
  23. https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement
  24. https://www.sidn.nl/en/news-and-blogs/sshfp-offers-structural-solution-to-ssh-key-distribution-problem
  25. https://dnsrecord.co.uk/how-beneficial-is-the-sshfp-record/
  26. https://link.springer.com/chapter/10.1007/978-3-031-20974-1_4
  27. https://publikationen.bibliothek.kit.edu/1000186330/168759652
  28. https://www.ietf.org/archive/id/draft-os-ietf-sshfp-ecdsa-sha2-02.html
  29. https://sfluhrer.github.io/ssh-mldsa/draft-sfluhrer-ssh-mldsa.html
Add your contribution
Related Hubs
User Avatar
No comments yet.