source: https://jean.ribes.ovh/posts/sshfp-pour-votre-serveur-ssh/
# Using SSHFP to secure your server

Conversely to HTTPS, SSH operates on a Trust-On-First-Use model, meaning that your client remembers the server key fingerprints. Should they change, that would be a scary warning that your connection might be intercepted. The usual likely explanation is that you reinstalled your server, or the IP changed ...

*SSHFP* is a DNS Resource Record Type that can store the fingerprints of a SSH server's public keys. Along with a working DNSSEC, that is pretty good protection, and when your SSH client has never connected to a server, it can check the keys against those stored in DNS.

### Note:

You will need a working **A/AAAA** record (the names between A, AAAA and SSHFP need to be the same).


# Server setup

On the SSH server, run `ssh-keygen -r your.domain.tld`

```dns {.kg-width-wide}
ssh.ribes.me IN SSHFP 1 1 5f6123b6a5716507d43cf361287db36b8390f2f0
ssh.ribes.me IN SSHFP 1 2 c8f560563f6676f138ef0e0f8848b41764b8c6708b6afc6fc8249422b5463771
ssh.ribes.me IN SSHFP ...
ssh.ribes.me IN SSHFP ... (there are several of these)
#your-domain IN SSHFP X Y fingerprint; X & Y are key types

```

You can then import those records in your DNS server. Take a few seconds to check if your DNS provider can import a "BIND Zone file" as it gets very tedious to insert those record by hand for each server.

# Client setup

Test with the following command

```bash
ssh -o "VerifyHostKeyDNS yes" votre.domaine.tld -v

```

To use SSHFP for all ssh connections, add the following to `~/.ssh/config`.
```
VerifyHostKeyDNS yes

```

---

[https://unix.stackexchange.com/questions/121880/how-do-i-generate-sshfp-records](https://unix.stackexchange.com/questions/121880/how-do-i-generate-sshfp-records)


© 2026 Jean Ribes