[Dnsmasq-discuss] dnsmasq and sshfp records

Simon Kelley simon at thekelleys.org.uk
Fri May 25 11:56:27 BST 2012

On 24/05/12 19:17, Jan-Piet Mens wrote:
>> keys as "SSHFP-Record"s, so that I'm able to call via <<ssh
>> user at remotehost-o "VerifyHostKeyDNS=yes">> and get a result line like
>> "Matching host key
>> fingerprint found in DNS".
> This may or not be painful, if you're not using DNSSEC. (You may like to
> glance at a discussion, and the comments, at [1].)
>> Since I've nothing found, seems like dnsmasq doesn't support SSHFP-Records,
>> right ?!?!
> I don't think this is possible at the moment, but we'll have to ask
> Simon. Simon? Are you there? :-)

No! The sun is shining and I'm lying in my hammock :-)

Well I was yesterday, back now.

Dnsmasq doesn't support SSHFP records. It doesn't support arbitrary DNS
records types at all and historically, support for particular record
types has been added ad-hoc for particular types that have proved to be

It would be possible to do the same thing for SSHFP, but possibly of
minimal use, given JP's discoveries.

An alternative would be to add some general RR-type support, rather like
the DHCP option support. You can specify any DHCP option, but if its one
dnsmasq doesn't know, you may have to do the encoding to hex yourself.


This makes any option at least possible, even if you have to deal with
IETF's propensity for designing a new and interesting encoding for each
and every new option.

The same thing could by done for DNS RRs


(44 is the RR type for SSHFP, according to RFC 4255)

relaxing the hex parsing to make colons and leading zeros optional gets
the possibility of something that's almost an natural encoding in this
case, and may be generally useful if less easy to use.





More information about the Dnsmasq-discuss mailing list