SSHFP stands for Secure Shell Fingerprint. The purpose of an SSHFP record is to authenticate the SSH server’s public key via DNS. This is achieved by publishing the fingerprint of the SSH server’s public key in the DNS through the SSHFP record.
The fingerprint is verified using DNSSEC, eliminating the need for the user to manually verify it. Typically, users accept the fingerprint blindly, which can expose the connection to man-in-the-middle attacks.
By utilizing the SSHFP record, this verification step is not bypassed, thereby enhancing the security of your SSH connection.
Since DNSSEC is utilized to authenticate the fingerprint, ensuring your domain is protected with DNSSEC is crucial.
The structure of SSHFP records are as follows:
⟨Name⟩
The name of the object to which the resource record belongs (optional)
⟨TTL⟩
Time to live (in seconds). Validity of Resource Records (optional)
⟨Class⟩
Protocol group to which the resource record belongs (optional)
⟨Algorithm⟩
Algorithm (0: reserved; 1: RSA;[1] 2: DSA,[1] 3: ECDSA;[2] 4: Ed25519[3] 6:Ed448;[4])
⟨Type⟩
Algorithm used to hash the public key (0: reserved; 1: SHA-1;[1] 2: SHA-256[2])
⟨Fingerprint⟩
Hexadecimal representation of the hash result, as text
Reference Pages:
