[dns-operations] Is anyone actually using SSHFP records?
Philip Homburg
philip at nlnetlabs.nl
Wed Feb 26 19:34:03 UTC 2025
On 26/02/2025 19:00, Phillip Hallam-Baker wrote:
>
>
> As part of that, I wanted to know if there was any *existing* use of
> the SSHFP record for publishing SSH credentials and if so whether it
> was limited to the server. And yes, I can read the specs, what I am
> asking about is actual practice.
>
My personal opinion (that quite a few people disagree with) is that
SSHFP records can be trusted only if the application does DNSSEC
validation. However, implementations tend to rely on the AD bit. For a
while I had a fork of openssh that did do DNSSEC validation but it was
too much work to maintain.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20250226/5378b86a/attachment-0001.html>
More information about the dns-operations
mailing list