How do I generate SSHFP records?

Use ssh-keygen -r hostname to generate SSHFP records from your server's host keys. This outputs records for all key types (RSA, ECDSA, Ed25519) with both SHA-1 and SHA-256 fingerprints.

Which SSHFP algorithm should I use?

Ed25519 (algorithm 4) is recommended for new deployments. Include RSA (algorithm 1) for older client compatibility. Always use SHA-256 (type 2) fingerprints as SHA-1 is considered weak.

SSHFP Record Security

Q: What is an SSHFP record?

An SSHFP (SSH Fingerprint) record publishes SSH host key fingerprints in DNS. SSH clients can automatically verify server keys through DNS instead of manually confirming fingerprints, protecting against man-in-the-middle attacks.

Q: Does SSHFP require DNSSEC?

Yes, SSHFP verification is only secure if the zone is signed with DNSSEC. Without DNSSEC, an attacker could forge SSHFP records and impersonate the SSH server.

The SSHFP record (SSH Fingerprint) publishes SSH host key fingerprints in DNS. When connecting via SSH, the client can verify that the server's key matches the fingerprint in DNS, protecting against man-in-the-middle attacks without manually verifying fingerprints.

Look Up SSHFP Records

Check SSHFP records for any domain using our free DNS lookup tool.

Look Up SSHFP Records →

What Is an SSHFP Record?

When you first connect to an SSH server, you typically see a prompt like:

The authenticity of host 'server.example.com' can't be established.
ED25519 key fingerprint is SHA256:abc123...
Are you sure you want to continue connecting (yes/no)?

SSHFP records let SSH clients automatically verify this fingerprint through DNS, eliminating the need for manual verification and reducing the risk of accepting a compromised key.

DNSSEC Required

SSHFP verification is only secure if the zone is signed with DNSSEC. Without DNSSEC, an attacker could forge SSHFP records.

SSHFP Record Format

Example SSHFP Record

server.example.com.    3600    IN    SSHFP    4 2 abc123def456...

SSHFP Record Fields

Field	Description	Values
Algorithm	Key algorithm type	1=RSA, 2=DSA, 3=ECDSA, 4=Ed25519
Fingerprint Type	Hash algorithm	1=SHA-1, 2=SHA-256
Fingerprint	Hex-encoded hash	Variable length

Algorithm Types

Value	Algorithm	Status
1	RSA	Widely used
2	DSA	Deprecated
3	ECDSA	Common
4	Ed25519	Recommended
6	Ed448	Supported

Generating SSHFP Records

Use ssh-keygen to generate SSHFP records from your host keys:

# Generate SSHFP records for all host keys
ssh-keygen -r server.example.com

# Output example:
server.example.com IN SSHFP 1 1 abc...  # RSA SHA-1
server.example.com IN SSHFP 1 2 def...  # RSA SHA-256
server.example.com IN SSHFP 4 2 ghi...  # Ed25519 SHA-256

Configuring SSH Client

Enable SSHFP verification in ~/.ssh/config or /etc/ssh/ssh_config:

Host *
    VerifyHostKeyDNS yes       # Verify via SSHFP
    # Or use "ask" to prompt before accepting

With VerifyHostKeyDNS yes, SSH will automatically verify fingerprints via DNS.

SSHFP Best Practices

Use DNSSEC — SSHFP is only secure with DNSSEC; without it, records can be spoofed.
Use SHA-256 — Always include type 2 (SHA-256) fingerprints; SHA-1 is weak.
Include all key types — Add SSHFP for each key type your server offers.
Update after key rotation — When changing host keys, update SSHFP records.
Keep RSA for compatibility — Include RSA SSHFP for older clients.

Example Complete SSHFP Setup

; SSHFP records for server.example.com
server.example.com.    SSHFP    1 2 a1b2c3d4e5f6...  ; RSA SHA-256
server.example.com.    SSHFP    3 2 f6e5d4c3b2a1...  ; ECDSA SHA-256
server.example.com.    SSHFP    4 2 123456789abc...  ; Ed25519 SHA-256

Troubleshooting SSHFP

Common issues and solutions:

SSH not verifying — Enable VerifyHostKeyDNS in SSH config.
"DNS lookup failed" — Check that SSHFP records exist and DNS is working.
"DNSSEC validation failed" — Ensure zone is properly signed with DNSSEC.
Fingerprint mismatch — Regenerate SSHFP records after key changes.
"Insecure" warning — SSHFP requires DNSSEC for secure verification.

Check Your SSHFP Records

Use our DNS Record Finder to look up SSHFP records for any domain.