README.dns revision 126274
10SN/AHow to verify host keys using OpenSSH and DNS 26073SN/A--------------------------------------------- 30SN/A 40SN/AOpenSSH contains support for verifying host keys using DNS as described in 50SN/Adraft-ietf-secsh-dns-05.txt. The document contains very brief instructions 60SN/Aon how to use this feature. Configuring DNS is out of the scope of this 72362SN/Adocument. 80SN/A 92362SN/A 100SN/A(1) Server: Generate and publish the DNS RR 110SN/A 120SN/ATo create a DNS resource record (RR) containing a fingerprint of the 130SN/Apublic host key, use the following command: 140SN/A 150SN/A ssh-keygen -r hostname -f keyfile -g 160SN/A 170SN/Awhere "hostname" is your fully qualified hostname and "keyfile" is the 180SN/Afile containing the public host key file. If you have multiple keys, 190SN/Ayou should generate one RR for each key. 200SN/A 212362SN/AIn the example above, ssh-keygen will print the fingerprint in a 222362SN/Ageneric DNS RR format parsable by most modern name server 232362SN/Aimplementations. If your nameserver has support for the SSHFP RR 240SN/Ayou can omit the -g flag and ssh-keygen will print a standard SSHFP RR. 250SN/A 260SN/ATo publish the fingerprint using the DNS you must add the generated RR 270SN/Ato your DNS zone file and sign your zone. 280SN/A 290SN/A 300SN/A(2) Client: Enable ssh to verify host keys using DNS 310SN/A 320SN/ATo enable the ssh client to verify host keys using DNS, you have to 330SN/Aadd the following option to the ssh configuration file 340SN/A($HOME/.ssh/config or /etc/ssh/ssh_config): 350SN/A 360SN/A VerifyHostKeyDNS yes 370SN/A 380SN/AUpon connection the client will try to look up the fingerprint RR 390SN/Ausing DNS. If the fingerprint received from the DNS server matches 400SN/Athe remote host key, the user will be notified. 41 42 43 Jakob Schlyter 44 Wesley Griffin 45 46 47$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $ 48