Tag Archives: DNSSEC

Generating SSHFP Records

I added a new server to our hackerspace last week. This new server will be used for research in security. When I was adding the new DNS record when I realized that the previous server had a SSHFP record as well!

I remember that I should use the ssh-keygen command, however, like a normal human being, I forgot which flag to use. A simple search in the manual page says that I should use -r flag, so here we go.

antranigv@srv0:~ % ssh-keygen -r srv0
srv0 IN SSHFP 1 1 785b3fa04870e92bf25f4c7f7092733acf586ffb
srv0 IN SSHFP 1 2 847fd4a76ef7dfcef31ac3fa18c139413ab0017fa17014b3884bff161c3364de
srv0 IN SSHFP 3 1 8268aa7b8dccf4c0e7881472c72093589ca46b2e
srv0 IN SSHFP 3 2 ea0c9f0a50a825f5a0a59cebf8637876970a34000e6e0afd46bf269e08294a88
srv0 IN SSHFP 4 1 2fbe9d0e2ecdbd9dd58576e4683ee70858ca3f25
srv0 IN SSHFP 4 2 a34643bdce1ef3042cdd76fb7e46fcaf108dc436f8fcdb55daf993a27da0654b

All I need to do is to add these into the DNS zone. Luckily I run BIND, so I copy-pastad them into the file, did +1 to the SOA’s serial and done!

Now I can try logging in.

antranigv@zvartnots:~ $ ssh srv0.hackerspace.am -v
OpenSSH_9.3p1, OpenSSL 3.1.3 19 Sep 2023
debug1: Reading configuration data /Users/antranigv/.ssh/config
debug1: Reading configuration data /Users/antranigv/.ssh/personal
debug1: Server host key: ssh-ed25519 SHA256:OCsizTimnJi1grbxSY5LpvpLozfZ2pk+4Jzwg60WKYA debug1: found 6 secure fingerprints in DNS debug1: verify_host_key_dns: matched SSHFP type 4 fptype 1 debug1: verify_host_key_dns: matched SSHFP type 4 fptype 2 debug1: matching host key fingerprint found in DNS

and I logged in properly!

Reply via email.

Antranig Vartanian

March 28, 2023

I’m sure at this point everyone heard that GitHub updated their RSA SSH host key.

This is a common issue, say you re-installed a server at the same IP/hostname. No problem, you remove a line and put in another one.

But honestly, I thought that GitHub had SSHFP records in their DNS.

$ dig SSHFP github.com +short | wc 
       0       0       0

Not so much… But then again, looks like they DO need to sign their zone first.

$ whois github.com | grep DNSSEC
   DNSSEC: unsigned
DNSSEC: unsigned

I have to say, using SSHFP has changed my life. Obviously there are some issues (Windows and macOS, specifically), but if you’re running a normal, modern operating system (hello BSDs, hello Linux) then it’s like magic!

I just setup one for our hackerspace!

$ whois hackerspace.am | grep DS
   DNS servers (zone signed, 1 DS record):
$ dig hackerspace.am SSHFP +short | wc -l

Anyway, I’m sure many CI/CD pipelines are going crazy because of this… Good luck everyone!

Reply via email.