[dns-operations] [Ssh] Re: Re: Is anyone actually using SSHFP records?

[Phillip Hallam-Baker]

My whole approach is predicated on the theory that we have to take the
human out of the admin loop if any data in the DNS is going to be worth
using.

Network admin is painful because you have multiple systems that need to be
kept in sync, you have the service configuration, the DNS, the network, the
firewall/NAS and of course the WebPKI.

The admin model is all the network config information goes into one place
that serves as the source of truth from which all the component
configurations are computed.



On Wed, Feb 26, 2025 at 7:48 PM George Michaelson <ggm at algebras.org> wrote:

> In the same spirit, I know a group using them but they're so prone to
> bitrot, from OS upgrade, which with virtuals is a low cost operation and
> mostly avoids issues for the real job of the machine: individuals keying
> info is in their home states which copy in from other places, but the SSHFP
> information is recreated in the new VM build, and then nobody remembers to
> update the central view.
>
> I think the record itself structurally is fine. But the operational duty
> cycle over it, is probably not adequately integrated into systems. "Don't
> forget to update your SSHFP record for this host" or "I am re-using the
> host SSHID information you copied into my install process" type stories
> would help.
>
> -G
> _______________________________________________
> Ssh mailing list -- ssh at ietf.org
> To unsubscribe send an email to ssh-leave at ietf.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20250226/38ec45d1/attachment.html>