SSHFP record
A Secure Shell fingerprint record (abbreviated as SSHFP record) is a type of resource record in the Domain Name System (DNS) which identifies SSH keys that are associated with a host name. The acquisition of an SSHFP record needs to be secured with a mechanism such as DNSSEC for a chain of trust to be established.
Structure
{{pre|{{angbr|Name}} [{{angbr|TTL}}] [{{angbr|Class}}] SSHFP {{angbr|Algorithm}} {{angbr|Type}} {{angbr|Fingerprint}}}}
; {{angbr|Name}}: The name of the object to which the resource record belongs (optional)
; {{angbr|TTL}}: Time to live (in seconds). Validity of Resource Records (optional)
; {{angbr|Class}}: Protocol group to which the resource record belongs (optional)
; {{angbr|Algorithm}}: Algorithm (0: reserved, 1: RSA, 2: DSA, 3: ECDSA, 4: Ed25519, 6: Ed448)
; {{angbr|Type}}: Algorithm used to hash the public key (0: reserved, 1: SHA-1, 2: SHA-256)
; {{angbr|Fingerprint}}: Hexadecimal representation of the hash result, as text
Example
{{sxhl|host.example.com. SSHFP 4 2 123456789abcdef67890123456789abcdef67890123456789abcdef123456789|zone}}
In this example, the host with the domain name host.example.com uses a Ed25519 key with the SHA-256 fingerprint 123456789abcdef67890123456789abcdef67890.
This output would be produced by a ssh-keygen -r host.example.com. command on the target server by reading the existing default SSH host key (Ed25519).{{Cite web |title=ssh-keygen(1) - OpenBSD manual pages |url=https://man.openbsd.org/ssh-keygen#r |access-date=2025-05-30 |website=man.openbsd.org}} In newer releases of the OpenSSH suite, ssh-keyscan -D $HOSTNAME{{Cite web |title=ssh-keyscan(1) - OpenBSD manual pages |url=https://man.openbsd.org/ssh-keyscan.1#D |access-date=2025-05-30 |website=man.openbsd.org}} can be used to produce a similar result, by connecting to the host over the network.