SSHFP records

I hate getting this prompt:

If you see it often enough you probably ignore it – it then loses its purpose if you find yourself blindly typing yes. SSHFP records stop that happening. As I secure my DNS zone with DNSSEC already I think this is an acceptable way of verifying the host at the other end. If you don’t have DNSSEC enabled on your zone it isn’t best practice to enable this – but for personal use I would say its fine.


To get started, install the sshfp package. This gives you a simple command line interface to generate the SSHFP records. Once installed simply run the command with the host as an argument:

Add the generated records to your DNS zone – make sure the type is set to SSHFP (most DNS servers should support this, PowerDNS does, TinyDNS needs a record builder and Bind does). Validate the record actually gets served using dig:

You can now enable this in your ssh_config – to set this server wide edit /etc/ssh/ssh_config and add VerifyHostKeyDNS yes under Host * like this:

Now when you connect to the host it will check the record from DNS – to verify this connect to the host with debugging enabled and look for the DNS lines:

Posted in DNS, Linux and tagged , , , .

One Comment

Leave a Reply

Your email address will not be published.