[dns-operations] Is anyone actually using SSHFP records?

Andrew McConachie andrew at depht.com
Thu Feb 27 03:23:18 UTC 2025 

The code in OpenSSH is still getting exercised for it.

https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466

--Andrew

On 27 Feb 2025, at 2:00, Phillip Hallam-Baker wrote:

> I am currently taking a hard look at mechanisms for using DNS Handles 
> as a
> means for exchange of authenticated and non-authenticated contact
> information via JSContact.
>
> As part of that, I wanted to know if there was any *existing* use of 
> the
> SSHFP record for publishing SSH credentials and if so whether it was
> limited to the server. And yes, I can read the specs, what I am asking
> about is actual practice.
>
> If there is existing use, it might be something to build on. 
> Otherwise, I
> think it best to forget it and apply the same SRV/TXT framework used 
> for
> everything else.
>
>
> The basic idea of JSContacts in handles being that I can put @
> phill.hallambaker.com on my business card or a publication, someone 
> can
> pull the TXT record and get a uri that is a locator, decryptor and
> authenticator all in one:
>
> _jscontact.phill.hallambaker.com. IN TXT
> "uri=jscontact://mplace2.social/egm3-lbnd-upo4-yxha-fy7p-hiim-y4kq"
>
> That egm3-lbnd-upo4-yxha-fy7p-hiim-y4kq bit is a truncated SHA-3 
> digest of
> the contact data. So if my SSH key is in the contact and the TXT 
> record is
> DNSSEC signed, we have at least some authentication of the contact.
>
> Alternatively, I might put the jscontact link on my business card as a 
> QR
> code. So now, you can scan the link and get direct verification.
>
> mplace2.social is just a resolution hint, a domain that currently has 
> the
> contact information. If that is going to be in a paper publication, 
> the
> resolution site might have changed but not the contact itself.
>
> jscontact: @phill.hallambaker.com/egm3-lbnd-upo4-yxha-fy7p-hiim-y4kq
>
>
> Since my publication engine has to populate the TXT records, it can do
> SSHFP in theory. But I see no reason to do that if it hasn't already
> established a user base.


> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20250227/29e21894/attachment-0001.html>

More information about the dns-operations mailing list