Adding SSH Hashes to DNS

To add an extra layer of security to your server, especially when you are working on a shared client, you can add SSHFP records to the DNS record of the host. This allows the ssh client to pull the hash of the server from DNS to add an extra layer of verification that the host you are connecting to is the one you think it is. It would be possible for a bad actor who is able to access your known_hosts file to change the key of a host to a malicious key, and get around the host key verification warning. By putting the hash in DNS, it allows an extra check that everything is as it should be.

You can have more than one SSHFP record, and would usually do so if you have more than one host key type (e.g. RSA, ECDSA, ED25519, etc.). To generate the records for a bind DNS server, you can use a command like (obviously, specify your hostname):

ssh-keygen -r

This will output a hash for each key stored with the server (usually in /etc/ssh) and look like (one line each): IN SSHFP 1 1 e4ce8304332979f9308520305ca1b55e632d7308 IN SSHFP 1 2 e13fb9af121101591d47b9958fed7f08ab50227e0c01ff50a7716f2c37111970 IN SSHFP 2 1 6062e0d864a7d6fc54e073a874402aa2c33b3389 IN SSHFP 2 2 125dc0ff6b04e0d590b63852ae65cbd89bce8fb8ea89b62b2b4fcfc7a49d2f9d IN SSHFP 3 1 d1d14bb676cd1cf641110d71a17ac07a3b88f1ec IN SSHFP 3 2 8b8f48121983f37f84be15720d30b94187f1177458c4788417f36113b8ebd2af IN SSHFP 4 1 3a1f2325b388277e3f070e4a86111d5ce70be0c6 IN SSHFP 4 2 ed97c97adec727ace7ca9778ca51bae58389877c999f5f2f35463f3e8adf8dba 

The format of each line is:


The hostname should be in the form that your bind zonefile needs to represent the hostname. Look at the host’s A record to see what you need to do.

The hash type is the algorithm used to generate the hash:

  1. RSA
  2. DSA
  3. ECDSA
  4. ED25519

The fingerprint type is the hash used to generate the fingerprint:

  1. SHA-1
  2. SHA-256

You really should not be using SHA-1 fingerprints anymore, but there is no harm in including it. It gives you a secondary verification.
The rest of the line is the hash itself.

Add these records to your bind server, and reload the zone. To verify you can see the records properly, you can use dig:

dig -t SSHFP

Once you have verified that you can see the records, you need to configure your client to use them. OpenSSH does not check them by default. The option to configure is VerifyHostKeyDNS. From the ssh_config man page:

             Specifies whether to verify the remote key using DNS and SSHFP resource records.  If
             this option is set to yes, the client will implicitly trust keys that match a secure
             fingerprint from DNS.  Insecure fingerprints will be handled as if this option was
             set to ask.  If this option is set to ask, information on fingerprint match will be
             displayed, but the user will still need to confirm new host keys according to the
             StrictHostKeyChecking option.  The default is no.

You can put the VerifyHostKeyDNS in your global config or your individual config.

SSHFP records work best when the zone is configured to use DNSSEC, as you have verification that you are receiving the correct SSHFP records. ssh will not need to prompt you if all the checks pass (unless you explicitly tell it to with “ask” as the option).

Leave a Comment