A Secure Shell fingerprint record (abbreviated as SSHFP record) is a type of
resource record
The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...
in the
Domain Name System
The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...
(DNS) which identifies
SSH
The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.
SSH applications are based on a ...
keys that are associated with a host name. The acquisition of an SSHFP record needs to be secured with a mechanism such as
DNSSEC
The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol ...
for a chain of trust to be established.
Structure
; : The name of the object to which the resource record belongs (optional)
; : Time to live (in seconds). Validity of Resource Records (optional)
; : Protocol group to which the resource record belongs (optional)
; : Algorithm (0: reserved; 1:
RSA;
2:
DSA,
3:
ECDSA
In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic-curve cryptography.
Key and signature-size
As with elliptic-curve cryptography in general, the b ...
;
4:
Ed25519
In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves.
It is designed to be faster than existing digital signature schemes ...
6:
Ed448
In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves.
It is designed to be faster than existing digital signature scheme ...
;
)
; : Algorithm used to
hash the public key (0: reserved; 1:
SHA-1
In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographically broken but still widely used hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecima ...
;
2:
SHA-256
SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression ...
)
; :
Hexadecimal
In mathematics and computing, the hexadecimal (also base-16 or simply hex) numeral system is a positional numeral system that represents numbers using a radix (base) of 16. Unlike the decimal system representing numbers using 10 symbols, hexa ...
representation of the hash result, as text
Example
In this example, the host with the domain name
host.example.com
uses a DSA key with the SHA-1 fingerprint
123456789abcdef67890123456789abcdef67890
.
With the
OpenSSH
OpenSSH (also known as OpenBSD Secure Shell) is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture.
Network Working Gr ...
suite, the
ssh-keyscan
utility can be used to determine the fingerprint of a host's key; using the
-D
will print out the SSHFP record directly.
See also
*
List of DNS record types
This list of DNS record types is an overview of resource records (RRs) permissible in zone files of the Domain Name System
The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resour ...
References
[{{cite web , url=https://tools.ietf.org/html/rfc8709 , title=RFC 8709 — Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol , date=February 2020 , access-date=2021-10-16]
Internet Standards
Internet protocols
DNS record types
Key management
Secure Shell