SSHFP Record Security
The SSHFP record (SSH Fingerprint) publishes SSH host key fingerprints in DNS. When connecting via SSH, the client can verify that the server's key matches the fingerprint in DNS, protecting against man-in-the-middle attacks without manually verifying fingerprints.
Look Up SSHFP Records
Check SSHFP records for any domain using our free DNS lookup tool.
Look Up SSHFP Records →What Is an SSHFP Record?
When you first connect to an SSH server, you typically see a prompt like:
The authenticity of host 'server.example.com' can't be established.
ED25519 key fingerprint is SHA256:abc123...
Are you sure you want to continue connecting (yes/no)?SSHFP records let SSH clients automatically verify this fingerprint through DNS, eliminating the need for manual verification and reducing the risk of accepting a compromised key.
DNSSEC Required
SSHFP verification is only secure if the zone is signed with DNSSEC. Without DNSSEC, an attacker could forge SSHFP records.
SSHFP Record Format
Example SSHFP Record
server.example.com. 3600 IN SSHFP 4 2 abc123def456...SSHFP Record Fields
| Field | Description | Values |
|---|---|---|
| Algorithm | Key algorithm type | 1=RSA, 2=DSA, 3=ECDSA, 4=Ed25519 |
| Fingerprint Type | Hash algorithm | 1=SHA-1, 2=SHA-256 |
| Fingerprint | Hex-encoded hash | Variable length |
Algorithm Types
| Value | Algorithm | Status |
|---|---|---|
| 1 | RSA | Widely used |
| 2 | DSA | Deprecated |
| 3 | ECDSA | Common |
| 4 | Ed25519 | Recommended |
| 6 | Ed448 | Supported |
Generating SSHFP Records
Use ssh-keygen to generate SSHFP records from your host keys:
# Generate SSHFP records for all host keys
ssh-keygen -r server.example.com
# Output example:
server.example.com IN SSHFP 1 1 abc... # RSA SHA-1
server.example.com IN SSHFP 1 2 def... # RSA SHA-256
server.example.com IN SSHFP 4 2 ghi... # Ed25519 SHA-256Configuring SSH Client
Enable SSHFP verification in ~/.ssh/config or /etc/ssh/ssh_config:
Host *
VerifyHostKeyDNS yes # Verify via SSHFP
# Or use "ask" to prompt before accepting
With VerifyHostKeyDNS yes, SSH will automatically verify fingerprints via DNS.
SSHFP Best Practices
- Use DNSSEC — SSHFP is only secure with DNSSEC; without it, records can be spoofed.
- Use SHA-256 — Always include type 2 (SHA-256) fingerprints; SHA-1 is weak.
- Include all key types — Add SSHFP for each key type your server offers.
- Update after key rotation — When changing host keys, update SSHFP records.
- Keep RSA for compatibility — Include RSA SSHFP for older clients.
Example Complete SSHFP Setup
; SSHFP records for server.example.com
server.example.com. SSHFP 1 2 a1b2c3d4e5f6... ; RSA SHA-256
server.example.com. SSHFP 3 2 f6e5d4c3b2a1... ; ECDSA SHA-256
server.example.com. SSHFP 4 2 123456789abc... ; Ed25519 SHA-256Troubleshooting SSHFP
Common issues and solutions:
- SSH not verifying — Enable VerifyHostKeyDNS in SSH config.
- "DNS lookup failed" — Check that SSHFP records exist and DNS is working.
- "DNSSEC validation failed" — Ensure zone is properly signed with DNSSEC.
- Fingerprint mismatch — Regenerate SSHFP records after key changes.
- "Insecure" warning — SSHFP requires DNSSEC for secure verification.
Monitor Your SSH Security
DNS Explorer validates SSHFP records, checks DNSSEC status, and alerts you when SSH host keys change.
Start free DNS Explorer trial14-day full-feature trial
Check Your SSHFP Records
Use our DNS Record Finder to look up SSHFP records for any domain.
Look Up SSHFP Records →Related Record Types
- TLSA Record — TLS certificate verification
- DNSKEY Record — DNSSEC zone keys
- A Record — Server IP address
- AAAA Record — Server IPv6 address