Verifying SSH Key Fingerprints with DNS records

SSH Fingerprinting is a method to provide DNS records for key fingerprint verification of any client that logs into said machine.

Doing this will prevent users from blindly typing ‘yes’ when asked if they want to continue connecting to an SSH host who’s authenticity is unknown.

Most of the people just type ‘yes’ without even checking if it’s correct or not, which defeats the purpose of the prompt.

The fingerprint records together with DNSSEC will completely bypass the prompt and have SSH verify the fingerprint automatically.

If the authenticity of the host is unknown, you haven’t been logged in before or you have changed the fingerprint of the machine, you will be greeted by a very familiar prompt, and most users here will just type yes without even checking if really we are connecting to the correct machine.

$ ssh
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:y2STsQ4RA/8durhpic+pb6UjcKwz7+bUaKX3C40yOGk.
Are you sure you want to continue connecting (yes/no)?
Warning: Permanently added '' (ECDSA) to the list of known hosts.

Generating SSH Key Fingerpint records

If you want to generate the DNS records you need to login to the said server and run ssh-keygen to generate the records, and then add the relevant records to your DNS server.

$ ssh-keygen -r IN SSHFP 1 1 db744817e8d6ac2027e6629aac7f0fc1750f6588 IN SSHFP 1 2 a61db02b9b26ca48663c3272821b451773c7cd1e9a412f5a09994ec8f8738c79 IN SSHFP 2 1 493a9e6a4b5078b1d0c5424aecf817ea54e1dfdf IN SSHFP 2 2 064b9dd10805069eb508bd087a37db61fda2107138924112ded3ccdbaafd6cb3 IN SSHFP 3 1 7c4b9b9105d6a0d7aacf44534a7800fc10466683 IN SSHFP 3 2 cb6493b10e1103ff1dbab86989cfa96fa52370ac33efe6d468a5f70b8d323869 IN SSHFP 4 1 69ac080ccf6cd52f4788373bd4dca21731e69713 IN SSHFP 4 2 7cae4ff942899f8e155bfc675e72e4146a1bf4107977fe73c6cffa8f3fda8fc3

Each line contains the following information

#HostnameAlgorithmFingerprint TypeHash


  1. RSA
  2. DSA
  3. ECDSA
  4. ED25519

You should never use DSA or ECDSA, Ed25519 is probably the strongest mathematically (and also the fastest), but not yet widely supported. As a bonus, it has stronger encryption (password-protection) of the private key by default than other key types. RSA is the best bet if you can’t use Ed25519.

Fingerprint type

  1. SHA-1
  2. SHA-2

You shouldn’t use SHA-1 fingerprints as they are less secure.

DNS Records

After adding the DNS records you can check if they are present or not very simple

$ dig SSHFP +noadditional +noquestion +nocomments +nocmd +nostats	10539	IN	SSHFP	4 2 7CAE4FF942899F8E155BFC675E72E4146A1BF4107977FE73C6CFFA8F 3FDA8FC3	10539	IN	SSHFP	3 1 7C4B9B9105D6A0D7AACF44534A7800FC10466683	10539	IN	SSHFP	3 2 CB6493B10E1103FF1DBAB86989CFA96FA52370AC33EFE6D468A5F70B 8D323869	10539	IN	SSHFP	4 1 69AC080CCF6CD52F4788373BD4DCA21731E69713

SSH Client

You need to add VerifyHostKeyDNS to your ~/.ssh/config or your global /etc/ssh/ssh_config, if you set this property then SSH will try to validate host keys from DNS.

Host *
    VerifyHostKeyDNS yes

Connecting to SSH with SSHFP

Now if I connect to the server I get the following prompt, without DNSSEC you will still get a prompt, and Matching host key fingerprint found in DNS line in the output now.

$ ssh
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:y2STsQ4RA/8durhpic+pb6UjcKwz7+bUaKX3C40yOGk.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?

With DNSSEC in place it will not add a new entry in ~/.ssh/known_hosts, and will connect right away.


  1. Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
  2. ECDSA and SHA-256 Algorithms for SSHFP
  3. Using ED25519 in SSHFP Resource Records