An SSHFP (SSH Fingerprint) record is a specialized type of Domain Name System (DNS) resource record (specifically type 44) that securely publishes the unique cryptographic fingerprints of an SSH server’s public host keys in the public DNS registry. By utilizing a mechanism called Domain Name System Security Extensions (DNSSEC), an SSHFP record allows client applications to automatically verify a remote server’s identity, effectively protecting connections against man-in-the-middle (MITM) attacks and eliminating the risk of manual user verification errors.
The standard protocol definition for this method is laid out in IETF RFC 4255. The Problem It Solves: The Trust Gap in SSH
When you establish a connection to a remote server via SSH for the first time, you are usually met with a prominent warning message:
The authenticity of host ‘example.com (192.0.2.1)’ can’t be established. ED25519 key fingerprint is SHA256:uR9… Are you sure you want to continue connecting (yes/no/[fingerprint])? Use code with caution.
Because the native SSH protocol lacks a global centralized “root of trust” (unlike the Certificate Authority system used for websites), your client device cannot independently confirm whether that fingerprint actually belongs to your target server.
Most users suffer from warning fatigue and blindly type yes. If a malicious actor intercepts the network traffic via an MITM attack, they can substitute their own public key. The user blindly accepts it, giving the attacker full visibility into the subsequent login credentials and session data. How an SSHFP Record Works
An SSHFP record fills this security gap by transforming the DNS infrastructure into an out-of-band validation ledger. When properly deployed, the authentication workflow operates seamlessly behind the scenes:
[ SSH Client ] —————– 1. Connects —————–> [ SSH Server ] | | | <———— 2. Presents Public Key Fingerprint ————-| | | 3. Queries DNS for SSHFP Record v [ DNSSEC Resolver ] <— 4. Cryptographically Validated Record — [ DNS Server ] | | 5. Matches DNS Fingerprint to Server Fingerprint v ( Connection Trusted / Bypasses Warning Prompt ) What Are SSHFP Records? – DNSimple Help
Leave a Reply