FusionLayer NameSurfer®

SSHFP records

HELP

NameSurfer 7.6.4.1

SSHFP (SSH fingerprint) records are used to store SSH server key fingerprints. This allows recogninition of SSH hosts that are previously unknown to the client using the DNS system as a distributed host fingerprint storage. When used in conjunction with DNSSEC to validate the zone data, this allows verification of the host identity without need to obtain proof of authenticity of the key presented by host via other channels.

While the SSHFP record may be present in any zone/node, the specification in RFC 4255 explicitly warns against relying on data that is present in zones that are not verifiable using DNSSEC.

The SSHFP record data is represented as a data string with three fields: algorithm, fingerprint type and fingerprint. Eg.

host.example.  SSHFP 2 1 123456789abcdef67890123456789abcdef67890

(example from RFC 4255)
The string accepted by NameSurfer thus consists of two integer values and the fingerprint presented in hexadecimal. Valid values for the algorithm field are 1 (RSA) and 2 (DSA), the only currently valid value for the fingerprint type is 1 (SHA-1). The fingerprint data itself can be obtained from the SSH server it represents.