[dns-operations] [Ssh] Is anyone actually using SSHFP records?
Christian Weisgerber
naddy at mips.inka.de
Thu Feb 27 16:11:55 UTC 2025
Phillip Hallam-Baker:
> As part of that, I wanted to know if there was any *existing* use of the
> SSHFP record for publishing SSH credentials and if so whether it was
> limited to the server.
The FreeBSD project publishes SSHFP records for its machines[1],
and from 2013 to 2023 the version of OpenSSH shipped with FreeBSD
defaulted to VerifyHostKeyDNS=yes:
Change the default value of VerifyHostKeyDNS to "yes" if compiled with
LDNS. With that setting, OpenSSH will silently accept host keys that
match verified SSHFP records. If an SSHFP record exists but could not
be verified, OpenSSH will print a message and prompt the user as usual.
I don't recall a rationale or public discussion. After a change
of FreeBSD's OpenSSH maintainer, the default setting was eventually
reverted:
ssh: default VerifyHostKeyDNS to no, following upstream
Revert to upstream's default. Using VerifyHostKeyDNS may depend on a
trusted nameserver and network path.
[1] https://www.freebsd.org/internal/machines/
--
Christian "naddy" Weisgerber naddy at mips.inka.de
More information about the dns-operations
mailing list