What Is an SSHFP Record
Learn how SSHFP records publish SSH host key fingerprints in DNS for server verification. Includes examples for the DNScale dashboard and API.
An SSHFP (SSH Fingerprint) record publishes the fingerprint of an SSH server's host key in DNS. This allows SSH clients to verify a server's identity through DNS instead of relying solely on the "trust on first use" (TOFU) model.
How SSHFP Records Work
When you first connect to an SSH server, you see a message like:
The authenticity of host 'server.example.com' can't be established.
ED25519 key fingerprint is SHA256:abc123...
Are you sure you want to continue connecting (yes/no)?SSHFP records eliminate this uncertainty by publishing the expected fingerprint in DNS:
server.example.com. 3600 SSHFP 4 2 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855SSH clients configured to use SSHFP will verify the server's key against DNS automatically.
Record Components
| Component | Description |
|---|---|
| Algorithm | SSH key algorithm type |
| Fingerprint Type | Hash algorithm used |
| Fingerprint | Hex-encoded fingerprint |
Algorithm Values
| Value | Algorithm |
|---|---|
1 | RSA |
2 | DSA (deprecated) |
3 | ECDSA |
4 | Ed25519 |
6 | Ed448 |
Fingerprint Type Values
| Value | Hash Algorithm |
|---|---|
1 | SHA-1 (deprecated) |
2 | SHA-256 (recommended) |
Common Use Cases
Single SSH Server
Publish all key types for comprehensive coverage:
server.example.com. 3600 SSHFP 1 2 abc123... ; RSA
server.example.com. 3600 SSHFP 3 2 def456... ; ECDSA
server.example.com. 3600 SSHFP 4 2 ghi789... ; Ed25519Multiple Servers
server1.example.com. 3600 SSHFP 4 2 hash1...
server2.example.com. 3600 SSHFP 4 2 hash2...
git.example.com. 3600 SSHFP 4 2 hash3...Bastion/Jump Host
bastion.example.com. 3600 SSHFP 4 2 abc123...
bastion.example.com. 3600 SSHFP 3 2 def456...Record Format
| Field | Description | Example |
|---|---|---|
| Name | Server hostname | server.example.com |
| Type | Record type | SSHFP |
| Algorithm | Key algorithm | 4 (Ed25519) |
| FP Type | Hash type | 2 (SHA-256) |
| Fingerprint | Hex fingerprint | e3b0c44... |
| TTL | Time to live (seconds) | 3600 |
Generating SSHFP Records
Using ssh-keygen
The easiest method is ssh-keygen -r:
# Generate SSHFP records for all host keys
ssh-keygen -r server.example.com
# Output:
# server.example.com IN SSHFP 1 2 abc123... (RSA)
# server.example.com IN SSHFP 3 2 def456... (ECDSA)
# server.example.com IN SSHFP 4 2 ghi789... (Ed25519)From Remote Server
# Get fingerprint from remote server
ssh-keyscan server.example.com | ssh-keygen -r server.example.com -f /dev/stdinManual Calculation
# For a specific key file
awk '{print $2}' /etc/ssh/ssh_host_ed25519_key.pub | \
base64 -d | \
sha256sum | \
awk '{print $1}'Adding an SSHFP Record
Using the Dashboard
- Navigate to your zone in the DNScale dashboard
- Click Add Record
- Configure the record:
- Name: Enter the server hostname (e.g.,
server) - Type: Select
SSHFP - Algorithm: Select the key algorithm (RSA, ECDSA, Ed25519)
- Fingerprint Type: Select SHA-256 (recommended)
- Fingerprint: Enter the hex-encoded fingerprint
- TTL: Set the cache duration (default: 3600)
- Name: Enter the server hostname (e.g.,
- Click Create Record
Using the API
Create an SSHFP record:
curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "server",
"type": "SSHFP",
"content": "4 2 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"ttl": 3600
}'Add multiple key types:
# Ed25519 key
curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "server",
"type": "SSHFP",
"content": "4 2 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"ttl": 3600
}'
# ECDSA key
curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "server",
"type": "SSHFP",
"content": "3 2 abc123def456789...",
"ttl": 3600
}'API Response:
{
"status": "success",
"data": {
"message": "Record created successfully",
"record": {
"id": "encoded-record-id",
"name": "server.example.com.",
"type": "SSHFP",
"content": "4 2 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"ttl": 3600,
"disabled": false
}
}
}Configuring SSH Client
To enable SSHFP verification, configure your SSH client:
~/.ssh/config
Host *.example.com
VerifyHostKeyDNS yesCommand Line
ssh -o VerifyHostKeyDNS=yes server.example.comVerification Levels
| Setting | Behavior |
|---|---|
yes | Verify with SSHFP, warn if missing |
ask | Verify with SSHFP, prompt user if missing |
no | Don't use SSHFP (default) |
DNSSEC Requirement
For SSHFP to provide real security, your zone must be DNSSEC-signed:
- With DNSSEC: SSHFP provides cryptographic proof of server identity
- Without DNSSEC: SSHFP is informational only (DNS can be spoofed)
Check DNSSEC status:
dig +dnssec server.example.com SSHFPBest Practices
-
Use SHA-256 - Always use fingerprint type
2(SHA-256), not SHA-1 -
Publish all key types - Add SSHFP records for all host keys your server offers
-
Enable DNSSEC - Without DNSSEC, SSHFP provides limited security benefit
-
Update on key rotation - When you regenerate host keys, update SSHFP records
-
Use Ed25519 keys - Modern, secure, and produces shorter fingerprints
-
Automate record generation - Include SSHFP record creation in server provisioning
Host Key Rotation
When rotating SSH host keys:
- Generate new keys on the server
- Add new SSHFP records
- Wait for DNS propagation (at least TTL duration)
- Replace keys on the server
- Remove old SSHFP records
# Step 1: Generate new keys
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key_new -N ""
# Step 2-3: Add new SSHFP and wait
# Step 4: Replace keys
mv /etc/ssh/ssh_host_ed25519_key_new /etc/ssh/ssh_host_ed25519_key
systemctl reload sshd
# Step 5: Remove old SSHFP recordsTesting SSHFP Records
# Query SSHFP records
dig SSHFP server.example.com
# Verify SSH connection with SSHFP
ssh -v -o VerifyHostKeyDNS=yes server.example.com
# Compare local fingerprint with DNS
ssh-keygen -r server.example.comRelated Record Types
- TLSA - TLS certificate fingerprints (similar concept)
- A - Server IP address
- AAAA - Server IPv6 address
Conclusion
SSHFP records provide a DNS-based method for SSH host key verification, reducing reliance on the "trust on first use" model. When combined with DNSSEC, SSHFP offers strong cryptographic proof of server identity. DNScale makes it easy to publish SSHFP records for your servers, with dedicated fields for algorithm and fingerprint type selection.