A Secure Shell fingerprint record (abbreviated as SSHFP record) is a type of resource record in the Domain Name System (DNS) which identifies SSH keys that are associated with a host name. The acquisition of an SSHFP record needs to be secured with a mechanism such as DNSSEC for a chain of trust to be established.
⟨Name⟩ [⟨ TTL⟩] [⟨Class⟩] SSHFP ⟨ Algorithm⟩ ⟨Type⟩ ⟨ Fingerprint⟩
host.example.com. SSHFP 4 2 123456789abcdef67890123456789abcdef67890123456789abcdef123456789
In this example, the host with the domain name host.
example.com
uses a
Ed25519 key with the
SHA-256 fingerprint 123456789abcdef67890123456789abcdef67890
. This output would be produced by a ssh-keygen -r host.example.com.
command on the target server by reading the existing default SSH host key (Ed25519).
[5]
With the
OpenSSH suite, the ssh-keyscan
utility can be used to determine the fingerprint of a host's key; using the -D
will print out the SSHFP record directly.
[6]
A Secure Shell fingerprint record (abbreviated as SSHFP record) is a type of resource record in the Domain Name System (DNS) which identifies SSH keys that are associated with a host name. The acquisition of an SSHFP record needs to be secured with a mechanism such as DNSSEC for a chain of trust to be established.
⟨Name⟩ [⟨ TTL⟩] [⟨Class⟩] SSHFP ⟨ Algorithm⟩ ⟨Type⟩ ⟨ Fingerprint⟩
host.example.com. SSHFP 4 2 123456789abcdef67890123456789abcdef67890123456789abcdef123456789
In this example, the host with the domain name host.
example.com
uses a
Ed25519 key with the
SHA-256 fingerprint 123456789abcdef67890123456789abcdef67890
. This output would be produced by a ssh-keygen -r host.example.com.
command on the target server by reading the existing default SSH host key (Ed25519).
[5]
With the
OpenSSH suite, the ssh-keyscan
utility can be used to determine the fingerprint of a host's key; using the -D
will print out the SSHFP record directly.
[6]