DNS Records

A Record

AAAA Record

CAA Record

CNAME Record

DNSSEC

DNSKEY Record

DS Record

HINFO Record

LOC Record

MX Record

NAPTR Record

NS Record

PTR Record

RP Record

SOA Record

SRV Record

SSHFP Record

TLSA Record

TXT Record

URI Record

What is an SSHFP record?

A Secure Shell fingerprint (abbreviated as SSHFP record) is a type of resource record which identifies SSH keys associated with the host name. SSHFP records are secured with a mechanism such as DNSSEC for a chain of trust to be established. SSHFP record is useful in validation of the server's fingerprint during an SSH session.

SSHFP record format

A typical SSHFP record looks like the following in standard BIND format:

$ORIGIN example.com.
host 3600 IN SSHFP 2 1 123456789abcdef67890123456789abcdef67890

An anatomy of the SSHFP Record host 3600 IN SSHFP 2 1 123456789abcdef67890123456789abcdef67890 looks like the below:

Host Label	TTL	Record Class	Record Type	Algorithm	Type	Fingerprint
host.example.com.	3600	IN	SSHFP	2	1	123456789abcdef67890123456789abcdef67890

Host Label
host.example.com specifies the hostname of the server to which the SSH key belongs to.

TTL
The time-to-live in seconds. It specifies how long a resolver is supposed to cache or remember the DNS query before the query expires and a new one needs to be done.

Record Class
Mainly 3 classes of DNS records exist:

• IN (Internet) – default and generally what internet uses.
• CH (Chaosnet) – used for querying DNS server versions.
• HS (Hesiod) – uses DNS functionality to provide access to databases of information that change infrequently.

Record Type
The record format is defined using this field. Common record types are A, AAAA, CNAME, CAA, TXT etc. In the case of a SSHFP record, the record type is SSHFP.

Algorithm
An integer value of 0-4.

• 0 - Reserved. It is a reserved value which is not used.
• 1 - RSA. RSA (Rivest–Shamir–Adleman) is one of the first public-key cryptosystems and is widely used for secure data transmission.
• 2 - DSA. The Digital Signature Algorithm (DSA) is a Federal Information Processing Standard for digital signatures, based on the mathematical concept of modular exponentiation and the discrete logarithm problem.
• 3 - ECDSA. The Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography.
• 4 - Ed25519. Ed25519 is the EdDSA signature scheme using SHA-512 (SHA-2) and Curve25519.

Type
An integer value of 0-2.

• 0 - Reserved. It is a reserved value which is not used.
• 1 - SHA-1. This produces a 160-bit (20-byte) hash value known as a message digest and is typically rendered as a 40 digits long hexadecimal number.
• 2 - SHA-256. This is the 256 bit (32-byte) Secure Hash Algorithm 2 to generate the finger print type.

Fingerprint
The hexadecimal representation of the hash result of the SSH key as text.

SSHFP record glossary

DNSSEC
DNSSEC protects against forged DNS answers. DNSSEC protected zones are cryptographically signed to ensure the DNS records received are identical to the DNS records published by the domain owner.

BIND
Berkeley Internet Name Daemon - is the most commonly used DNS software on the Internet and Dynu observes BIND format.