SSHFP records?

So I learned about SSHFP records at FUDCon and decided to implement them for some of our externally facing sites like cvs.fedoraproject.org, fedorapeople.org and git.fedorahosted.org (and others).

What is an SSHFP record? It's a ssh host key in DNS so you can verify it is correct. For example you can run:

$ dig SSHFP git.fedorahosted.org

Which will get you:

git.fedorahosted.org. 85975 IN SSHFP 2 1 DE382873ABE19B40AEFE714D686E15E16EAD5177
git.fedorahosted.org. 85975 IN SSHFP 1 1 A843ECED826C2F0075888150E89AE4567CD37D7F

So how can you use this information? Set VerifyHostKeyDNS to yes in your ssh_config (man ssh_config for more info, but you'll probably want to place it in your ~/.ssh/config file)


