Oct 22 – 23, 2022 Workshop
Golden Tulip Zira
Europe/Belgrade timezone

Analysis of SSHFP records in the DNS

Oct 23, 2022, 12:15 PM
Mykonos / Rodos (Golden Tulip Zira)

Mykonos / Rodos

Golden Tulip Zira

Ruzveltova 35 11000 Belgrade Republic of Serbia
Standard Presentation Main Session OARC 39 - D2


Sebastian Neef (Technische Universität Berlin)


In 2006, RFC 4255 [0] introduced a resource record that holds SSH host key verification fingerprints, named SSHFP. In order to prevent man-in-the-middle attacks, a SSH server's host key fingerprint should be verified by the client [1]. While the manual verification process is prone to errors or ignorance by the user, SSHFP records eliminate any manual interaction. However, SSHFP records must securely reach the client and provide the correct host key verification fingerprint.

In our paper "Oh SSH-it, what's my fingerprint? A Large-Scale Analysis of SSH Host Key Fingerprint Verification Records in the DNS" (accepted at CANS 2022, preprint [2]) we conduct a large-scale internet study (Tranco 1M and 500 million domain names from Certificate transparency logs). The results show that only about 1 in 10,000 domains has SSHFP records. Further, more than half of them are deployed without DNSSEC, thus drastically reducing security benefits.

The presentation aims to remind of this (niche) SSHFP record and present the paper's methodology and results. To end on a positive note, we will show a proper deployment and possible improvements for current tools (i.e. openssh-client).

[0] https://www.rfc-editor.org/rfc/rfc4255.html
[1] https://www.rfc-editor.org/rfc/rfc4251.html
[2] https://arxiv.org/abs/2208.08846

Conflicht of Interest: Nils Wisiol

Presentation delivery In-person at the workshop venue

Primary author

Sebastian Neef (Technische Universität Berlin)


Nils Wisiol (Technische Universität Berlin)

Presentation materials