You are located in service: DNS (Domain Name Service)




All persons authorized for the DNS-Admin can now store so-called Secure Shell Fingerprints (SSHFP) in the DNS via individual entries or a mass import (see RFC 4255, 6594 and 7479. The structure of this record type (for detailed parameters see is:

<$SERVER.$> [<TTL in seconds>] [<Class>] SSHFP <number of the algorithm> <number of the hash type> <hexadecimal fingerprint>
Information on algorithm and hash type
  1. Generate SSHFP
    • on the server

      sudo ssh-keygen -r $HOSTNAME.$
    • remote(via

      / $HOSTNAME.$
  2. Consider SSHFP when establishing a connection
    • per request

      ssh -o VerifyHostKeyDNS=yes -l $USER $HOSTNAME.$
      ssh -o FingerprintHash=sha256 -o VerifyHostKeyDNS=yes -l $USER $HOSTNAME.$
    • gloabe SSH Client Configuration (all SSH connections from one computer, see "Hostname canonicalisation in OpenSSH)

      CanonicalizeHostname yes
      CanonicalDomains $
      CanonicalizeMaxDots 0
      CanonicalizeFallbackLocal no
      VerifyHostKeyDNS yes

last changed on 29.01.2021

How did this content help you?