New DNS API – easily update SSHFP keys
We’ve got a new version of our DNS API under development. One of the neat new features is the ability to accept input in bind zone file format (aka RFC 1035).
One of the things that this makes very easy is adding SSHFP records to the DNS. SSHFP is a mechanism for lodging your server’s public SSH keys in the DNS so that your SSH client can automatically verify a server the first time you connect to it, rather than prompting you to confirm the host key.
Using our new API, you can add or update SSHFP keys by piping the output of
ssh-keygen straight into
ssh-keygen -r myhost | curl -X PUT -n https://api.mythic-beasts.com/zones/example.com/myhost/SSHFP -H 'Content-Type: text/dns' --data-binary @-
What’s going on here?
ssh-keygen -r outputs your server’s SSH public keys in RFC 1035 format:
$ ssh-keygen -r myhost myhost IN SSHFP 1 1 e579ff6aabc2f0acf714deca53108a0c1ea7d799 myhost IN SSHFP 1 2 7c47d5dfb748ff1fd244b7289d815e83dad8c2c1652b92ac8aed8ff166733d07 myhost IN SSHFP 2 1 c5caf4cc8870acc7fd113e5a7c866822ec0d94de myhost IN SSHFP 2 2 9f11843fa1d9da318aa4bc09bbcaacaf4a9868c4d83dfc4bad6853d0c9597a31 myhost IN SSHFP 3 1 eb8644f5fcfd555341f2063bd92044075e20da89 myhost IN SSHFP 3 2 60f3e9780f9b87e5b4d6344f2ab46decbf705123e96ef07c3247f714ca220fc4 myhost IN SSHFP 4 1 139426de48381ea46ad75dde4e412bf1c9b11e61 myhost IN SSHFP 4 2 6f094181b510bbb573048835665773eb1a2a65fd4341d95207479ed71296491b
We then pipe that into
curl to make a request to the DNS API.
PUT request to the
/myhost/SSHFP endpoint replaces all existing myhost SSHFP records.
-n tells curl to get auth credentials from a
.netrc file, and the “Content-Type” header tells our API that we’re providing the new records in zone file format.
What’s the point of SSHFP?
Having lodged these SSHFP records in the DNS, and provided that DNSSEC is enabled for your domain, it’s possible to connect to a server without being prompted to verify the server’s host key.
$ ssh -o VerifyHostKeyDNS=yes firstname.lastname@example.org
You can avoid having to specify the
-o by putting
VerifyHostKeyDNS=yes in your
The new DNS API isn’t quite ready for deployment, so if there are any features that you’d really like to see in the new API, now’s the time to tell us, either on Twitter or by email.