Monthly Archives: December 2015

SSH Fingerprints in DNS

Here’s how to add SSHFP records to DNS.  You need to have DNSSEC signed zones for this to work.

To generate the records, simply use the following command against your host public keys and copy them into your DNS zonefile:

/bin/sh -c ‘for i in /etc/ssh/ssh_host_*; do ssh-keygen -r HOSTNAME -f $i; done’

If you’re using openssh-portable under FreeBSD, change the /etc/ssh/ path above to be /usr/local/etc/ssh/

The HOSTNAME part of the above command line is cosmetic and used purely for the DNS output.

Ignore any ‘unsupported algorithm’ message – this is due to certain keytypes not being supported in SSHFP for now.