SSHFP record

Last updated May 10, 2025

A Secure Shell fingerprint record (abbreviated as SSHFP record) is a type of resource record in the Domain Name System (DNS) which identifies SSH keys that are associated with a host name. The acquisition of an SSHFP record needs to be secured with a mechanism such as DNSSEC for a chain of trust to be established.

Structure

<span class="nowrap">⟨Name⟩</span> [<span class="nowrap">⟨[[Time to Live|TTL]]⟩</span>] [<span class="nowrap">⟨Class⟩</span>] SSHFP <span class="nowrap">⟨[[Algorithm]]⟩</span> <span class="nowrap">⟨Type⟩</span> <span class="nowrap">⟨[[Hash function|Fingerprint]]⟩</span>

⟨Name⟩: The name of the object to which the resource record belongs (optional)
⟨TTL⟩: Time to live (in seconds). Validity of Resource Records (optional)
⟨Class⟩: Protocol group to which the resource record belongs (optional)
⟨Algorithm⟩: Algorithm (0: reserved, 1: RSA,^[1] 2: DSA,^[1] 3: ECDSA,^[2] 4: Ed25519,^[3] 6: Ed448 ^[4])
⟨Type⟩: Algorithm used to hash the public key (0: reserved, 1: SHA-1,^[1] 2: SHA-256 ^[2])
⟨Fingerprint⟩: Hexadecimal representation of the hash result, as text

Example

host.example.com.SSHFP42123456789abcdef67890123456789abcdef67890123456789abcdef123456789

In this example, the host with the domain name host.example.com uses a Ed25519 key with the SHA-256 fingerprint 123456789abcdef67890123456789abcdef67890. This output would be produced by a ssh-keygen -r host.example.com. command on the target server by reading the existing default SSH host key (Ed25519).^[5]

With the OpenSSH suite, the ssh-keyscan utility can be used to determine the fingerprint of a host's key; using the -D will print out the SSHFP record directly.^[6]

References

1 2 3 Griffin, Wesley; Schlyter, Jakob (January 2006). "RFC 4255 — Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints" . Retrieved 2017-12-28.
1 2 Surý, Ondřej (April 2012). "RFC 6594 — Use of the SHA-256 Algorithm with RSA, Digital Signature Algorithm (DSA), and Elliptic Curve DSA (ECDSA) in SSHFP Resource Records" . Retrieved 2017-12-28.
↑ Moonesamy, S. (March 2015). "RFC 7479 — Using Ed25519 in SSHFP Resource Records" . Retrieved 2017-12-28.
↑ Harris, Ben; Velvindron, Loganaden (February 2020). "RFC 8709 — Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol" . Retrieved 2021-10-16.
↑ "ssh-keygen(1) - Linux manual page". www.man7.org. Retrieved 2023-03-25.
↑ "ssh-keyscan(1)". OpenBSD manual pages.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[RFC_4255-1] 1 2 3 Griffin, Wesley; Schlyter, Jakob (January 2006). "RFC 4255 — Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints" . Retrieved 2017-12-28.

[RFC_6594-2] 1 2 Surý, Ondřej (April 2012). "RFC 6594 — Use of the SHA-256 Algorithm with RSA, Digital Signature Algorithm (DSA), and Elliptic Curve DSA (ECDSA) in SSHFP Resource Records" . Retrieved 2017-12-28.

[RFC_7479-3] Moonesamy, S. (March 2015). "RFC 7479 — Using Ed25519 in SSHFP Resource Records" . Retrieved 2017-12-28.

[RFC_8709-4] Harris, Ben; Velvindron, Loganaden (February 2020). "RFC 8709 — Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol" . Retrieved 2021-10-16.

[5] "ssh-keygen(1) - Linux manual page". www.man7.org. Retrieved 2023-03-25.

[6] "ssh-keyscan(1)". OpenBSD manual pages.

[1]

[2]

[3]

[4]

[5]

[6]

SSHFP record

Contents

Structure

Example

See also

References