1How to verify host keys using OpenSSH and DNS 2--------------------------------------------- 3 4OpenSSH contains support for verifying host keys using DNS as described 5in https://tools.ietf.org/html/rfc4255. The document contains very brief 6instructions on how to use this feature. Configuring DNS is out of the 7scope of this document. 8 9 10(1) Server: Generate and publish the DNS RR 11 12To create a DNS resource record (RR) containing a fingerprint of the 13public host key, use the following command: 14 15 ssh-keygen -r hostname -f keyfile -g 16 17where "hostname" is your fully qualified hostname and "keyfile" is the 18file containing the public host key file. If you have multiple keys, 19you should generate one RR for each key. 20 21In the example above, ssh-keygen will print the fingerprint in a 22generic DNS RR format parsable by most modern name server 23implementations. If your nameserver has support for the SSHFP RR 24you can omit the -g flag and ssh-keygen will print a standard SSHFP RR. 25 26To publish the fingerprint using the DNS you must add the generated RR 27to your DNS zone file and sign your zone. 28 29 30(2) Client: Enable ssh to verify host keys using DNS 31 32To enable the ssh client to verify host keys using DNS, you have to 33add the following option to the ssh configuration file 34($HOME/.ssh/config or /etc/ssh/ssh_config): 35 36 VerifyHostKeyDNS yes 37 38Upon connection the client will try to look up the fingerprint RR 39using DNS. If the fingerprint received from the DNS server matches 40the remote host key, the user will be notified. 41 42 43 Jakob Schlyter 44 Wesley Griffin 45 46 47$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $ 48