Automatically create SSHFP records on Cloudflare DNS by Adam Shand

Just spent a couple of hours writing a script to automatically add SSHFP records to Cloudflare DNS.  I'd never used Cloudflare's API before, so it was a useful learning project.

You can get the script from my dotfiles repository.

If you aren't familiar with SSHFP DNS records, they store information about an SSH server's keys in DNS (algorithm, type & fingerprint). Each time you ssh to the server, its keys are compared to those in DNS and a warning is issued if they don't match.

SSHFP records provide some protection against man-in-the-middle attacks, but I've rarely used them because they are annoying to manually add. 

I recommend adding these settings to your ~/.ssh/config:

Host *
  StrictHostKeyChecking accept-new
  VerifyHostKeyDNS yes

Run it like this:

info: found ssh keys at
deleting existing sshfp record for (fd157edccf68b6aa428b88de309b9be5)
deleting existing sshfp record for (2e7f2084a43c2f45f7ad30cf22fbeea7)
created sshfp record for (4 1 8f5984bc3111ad935b5c5c717a38d96878ef4a3f)
created sshfp record for (4 2 e81d784647660a98bb8e2c3e3d16d83d450e135a265c6bbf8ecb823bad8337bc)

And then you can see if it's working like this:

❯ ssh -v
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Server host key: ssh-ed25519 SHA256:6B14RkdmCpi7jiw+PRbYPUUOE1omXGu/jsuCO62DN7w
debug1: found 2 insecure fingerprints in DNS
debug1: verify_host_key_dns: matched SSHFP type 4 fptype 1
debug1: verify_host_key_dns: matched SSHFP type 4 fptype 2
debug1: matching host key fingerprint found in DNS
Linux mahoe 6.1.0-2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.7-1 (2023-01-18) x86_64

Hope it might be useful to someone else.

tutorial posted on 1 Mar 2023 in #nerding, #teaching & #working

Copyheart 1994–2023 sharing is an act of love.