[dns-operations] [Ext] Is anyone actually using SSHFP records?

Gavin Brown gavin.brown at icann.org
Thu Feb 27 08:08:47 UTC 2025 

I wrote this a while back, there was some interest in at the time but it never went anywhere:

https://datatracker.ietf.org/doc/html/draft-brown-whoami-02

G.

> On 26 Feb 2025, at 18:00, Phillip Hallam-Baker <phill at hallambaker.com> wrote:
> 
> I am currently taking a hard look at mechanisms for using DNS Handles as a means for exchange of authenticated and non-authenticated contact information via JSContact.
> 
> As part of that, I wanted to know if there was any *existing* use of the SSHFP record for publishing SSH credentials and if so whether it was limited to the server. And yes, I can read the specs, what I am asking about is actual practice.
> 
> If there is existing use, it might be something to build on. Otherwise, I think it best to forget it and apply the same SRV/TXT framework used for everything else.
> 
> 
> The basic idea of JSContacts in handles being that I can put @phill.hallambaker.com [phill.hallambaker.com] on my business card or a publication, someone can pull the TXT record and get a uri that is a locator, decryptor and authenticator all in one:
> 
> _jscontact.phill.hallambaker.com [jscontact.phill.hallambaker.com]. IN TXT "uri=jscontact://mplace2.social/egm3-lbnd-upo4-yxha-fy7p-hiim-y4kq"
> 
> That egm3-lbnd-upo4-yxha-fy7p-hiim-y4kq bit is a truncated SHA-3 digest of the contact data. So if my SSH key is in the contact and the TXT record is DNSSEC signed, we have at least some authentication of the contact.
> 
> Alternatively, I might put the jscontact link on my business card as a QR code. So now, you can scan the link and get direct verification.
> 
> mplace2.social is just a resolution hint, a domain that currently has the contact information. If that is going to be in a paper publication, the resolution site might have changed but not the contact itself.
> 
> jscontact: @phill.hallambaker.com/egm3-lbnd-upo4-yxha-fy7p-hiim-y4kq [phill.hallambaker.com]
> 
> 
> Since my publication engine has to populate the TXT records, it can do SSHFP in theory. But I see no reason to do that if it hasn't already established a user base.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://urldefense.com/v3/__https://lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!PtGJab4!-enNmBzOvH-tFLHeHve_Mk8L0UUEHq163oT5pBTcIXh9vVKsjk9GTW26ALaLJ7wmr18XVW9En2lxe-nhLfJaBo5bYw$ [lists[.]dns-oarc[.]net]

--
Gavin Brown
Principal Engineer, Global Domains & Strategy
Internet Corporation for Assigned Names and Numbers (ICANN)

https://www.icann.org

More information about the dns-operations mailing list