The DNS Secure Shell Fingerprint (SSHFP) Record provides a way to verify Secure Shell (SSH) host keys using Domain Name System Security (DNSSEC). The SSHFP record is used to provide out-of-band verification, which looks up the SSHP fingerprint of the server public key in DNS, and then uses DNSSEC to verify the lookup.
An SSH client connecting to an SSH server can look up the SSHFP resource records for the host it is connecting to. The algorithm and fingerprint of the key from the SSH server are matched against the algorithm and fingerprint combinations in the SSHFP resource records (RR). The SSHFP RR includes the owner name, algorithm, type, fingerprint, and time to live (TTL) associated with it.
The SSHFP record consists of the following validation fields:
-
Host - Entered as a standard host name validation.
-
Algorithm - Select one of the following options from the drop-down menu.
-
RSA
-
DSS
-
ECDSA
-
A
-
Ed25519
-
-
Hash Type - The Algorithm used to hash the public key. Select one of the following options from the drop-down menu.
-
SHA-1
-
SHA-256
-
-
Fingerprint - Provide the hexadecimal value of the key.
-
TTL