[dns-operations] Is anyone actually using SSHFP records?

Phillip Hallam-Baker phill at hallambaker.com
Wed Feb 26 20:33:23 UTC 2025 

OK, summarizing the private responses, it is clear this is something worth
populating for the server side and I will probably populate a TXT record
and if it is a service as opposed to a host that is being accessed, an SRV
as well.

I don't see DNSSEC as being essential. It is a nice to have but that is
all, if my client is getting its DNS from a resolver that is also the
authoritative for the zone and that is secured using something like DPRIV,
that is just as good.


The other side of the connection, the client, is something I will be
looking to get a draft out on. The basic idea being that @
phill.hallambaker.com is a handle anyone setting up an Internet service can
use as the basis for authenticating me.

So would appreciate it if anyone wants to discuss the best approach to this
while we are in Bangkok.

The user experience I am aiming for with a webcam is Alice buys the webcam,
gives it a name in the DNS space for her house 'webcam.house.example.com'
and lists @alice.example.com, @bob.example.net, @carol.example.com as the
list of people authorized to access it. From that point on, they can go to
https://webcam.house.example.com/ and log in via OAUTH using a regular
browser.

This is basically automation like Puppet and Ansible BUT for consumers. So
I don't ask if they want to do it way A or way B, I pick one or both.

I want to make SSH the same experience, so Alice can set up a Raspberry pi,
give it a name and this time the list of authorized users is a list of
dns-handle/account pairs to map the globally unique but tiresome
alice.example.com to her local unix account alice.

Challenge is working out how to achieve that with the existing SSH servers.



On Wed, Feb 26, 2025 at 2:42 PM Philip Homburg <philip at nlnetlabs.nl> wrote:

>
> On 26/02/2025 19:00, Phillip Hallam-Baker wrote:
>
>
>
> As part of that, I wanted to know if there was any *existing* use of the
> SSHFP record for publishing SSH credentials and if so whether it was
> limited to the server. And yes, I can read the specs, what I am asking
> about is actual practice.
>
>
> My personal opinion (that quite a few people disagree with) is that SSHFP
> records can be trusted only if the application does DNSSEC validation.
> However, implementations tend to rely on the AD bit. For a while I had a
> fork of openssh that did do DNSSEC validation but it was too much work to
> maintain.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20250226/dadd1206/attachment.html>

More information about the dns-operations mailing list