[dns-operations] Is anyone actually using SSHFP records?

Leo Vandewoestijne dnsoperations_leo at dns.company
Thu Feb 27 22:02:05 UTC 2025 

On Wed, 26 Feb 2025, Phillip Hallam-Baker wrote:

>    I wanted to know if there was any *existing* use of
>    the SSHFP record for publishing SSH credentials and if so whether it
>    was limited to the server. And yes, I can read the specs, what I am
>    asking about is actual practice.


A. Schulze:
> having DNSSEC in place since years, of course, we also use SSHFP.
>
SSHFP doesn't require, because RFC4255 was made before a signed root existed.
And being part of DANE (RFC6698), TLSA does require DNSSEC.
Mind you see a hash and not simply the hostkey fingerprint.
So here are 3 different hostkey types:

_22._tcp.host.domain.tld.  IN TLSA  3 1 1 A6927F680FD9FE1EF8A6100559EF2C7958677577500048322F7E6927F680FD9A 
_22._tcp.host.domain.tld.  IN TLSA  3 1 1 B1EF8A6100559EF2C7958677577500048322F7E6927F680FD9FE1EF8A610055B
_22._tcp.host.domain.tld.  IN TLSA  3 1 1 CF2C7958677577500048322F7E6927F680FD9FE1EF8A6100559EF2C79586775C

Host *.domain.tld
  VerifyHostKeyDNS  yes
  DANE              yes

However TLSA for SSH and the SSHFP are not mutually exclusive; can coexist.
Bottomline: do mind that SSHFP may work without DNSSEC.


George Michaelson:
> but the SSHFP information is recreated in the new VM build, and then
> nobody remembers to update the central view.
> I think the record itself structurally is fine. But the operational
> duty cycle over it, is probably not adequately integrated into systems.
>
Indeed, unlike A or MX records.
I wanted to tackle that job with diffent approach...
Never finished for publication, but since you're asking for it:
https://dns.company/publications/sss.php

Summary: TXT records to toss around public SSH keys.
The SSHFP was because back then I wasn't aware yet the TLSA record would be a better choise.

You likely do not wish to disclose usernames on public facing nameservers.
Also you probably do not want it to be 100% dynamic build + you wish to handle errors better.


Phillip Hallam-Baker:
> I wanted to know if there was any *existing* use of the SSHFP record for publishing SSH credentials 
> and if so whether it was limited to the server.
>
So *existing* ... not really, 
Only a (succesfull) proof of concept.


Christian Weisgerbe:
> the version of OpenSSH shipped with FreeBSD defaulted to VerifyHostKeyDNS=yes 
>
I recently compared the default sshd_config in FreeBSD with the one in Ubuntu.
I was amazed by the undesired overdose of userfriendliness in Ubuntu, compared to FreeBSD.
PasswordAuthentication defaults to yes, and VerifyHostKeyDNS isn't even mentioned in the manual.
Important to know, when writing cross-platform compatible config, that they use their own defaults.




Leo Vandewoestijne

More information about the dns-operations mailing list