1 Secure Shell Working Group J. Schlyter
3 Expires: March 5, 2004 W. Griffin
8 Using DNS to Securely Publish SSH Key Fingerprints
9 draft-ietf-secsh-dns-05.txt
13 This document is an Internet-Draft and is in full conformance with
14 all provisions of Section 10 of RFC2026.
16 Internet-Drafts are working documents of the Internet Engineering
17 Task Force (IETF), its areas, and its working groups. Note that other
18 groups may also distribute working documents as Internet-Drafts.
20 Internet-Drafts are draft documents valid for a maximum of six months
21 and may be updated, replaced, or obsoleted by other documents at any
22 time. It is inappropriate to use Internet-Drafts as reference
23 material or to cite them other than as "work in progress."
25 The list of current Internet-Drafts can be accessed at http://
26 www.ietf.org/ietf/1id-abstracts.txt.
28 The list of Internet-Draft Shadow Directories can be accessed at
29 http://www.ietf.org/shadow.html.
31 This Internet-Draft will expire on March 5, 2004.
35 Copyright (C) The Internet Society (2003). All Rights Reserved.
39 This document describes a method to verify SSH host keys using
40 DNSSEC. The document defines a new DNS resource record that contains
41 a standard SSH key fingerprint.
53 Schlyter & Griffin Expires March 5, 2004 [Page 1]
55 Internet-Draft DNS and SSH Fingerprints September 2003
60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
61 2. SSH Host Key Verification . . . . . . . . . . . . . . . . . 3
62 2.1 Method . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
63 2.2 Implementation Notes . . . . . . . . . . . . . . . . . . . . 3
64 2.3 Fingerprint Matching . . . . . . . . . . . . . . . . . . . . 4
65 2.4 Authentication . . . . . . . . . . . . . . . . . . . . . . . 4
66 3. The SSHFP Resource Record . . . . . . . . . . . . . . . . . 4
67 3.1 The SSHFP RDATA Format . . . . . . . . . . . . . . . . . . . 5
68 3.1.1 Algorithm Number Specification . . . . . . . . . . . . . . . 5
69 3.1.2 Fingerprint Type Specification . . . . . . . . . . . . . . . 5
70 3.1.3 Fingerprint . . . . . . . . . . . . . . . . . . . . . . . . 5
71 3.2 Presentation Format of the SSHFP RR . . . . . . . . . . . . 6
72 4. Security Considerations . . . . . . . . . . . . . . . . . . 6
73 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7
74 Normative References . . . . . . . . . . . . . . . . . . . . 8
75 Informational References . . . . . . . . . . . . . . . . . . 8
76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 9
77 A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
78 Intellectual Property and Copyright Statements . . . . . . . 10
109 Schlyter & Griffin Expires March 5, 2004 [Page 2]
111 Internet-Draft DNS and SSH Fingerprints September 2003
116 The SSH [6] protocol provides secure remote login and other secure
117 network services over an insecure network. The security of the
118 connection relies on the server authenticating itself to the client
119 as well as the user authenticating itself to the server.
121 If a connection is established to a server whose public key is not
122 already known to the client, a fingerprint of the key is presented to
123 the user for verification. If the user decides that the fingerprint
124 is correct and accepts the key, the key is saved locally and used for
125 verification for all following connections. While some
126 security-conscious users verify the fingerprint out-of-band before
127 accepting the key, many users blindly accept the presented key.
129 The method described here can provide out-of-band verification by
130 looking up a fingerprint of the server public key in the DNS [1][2]
131 and using DNSSEC [5] to verify the lookup.
133 In order to distribute the fingerprint using DNS, this document
134 defines a new DNS resource record, "SSHFP", to carry the fingerprint.
136 Basic understanding of the DNS system [1][2] and the DNS security
137 extensions [5] is assumed by this document.
139 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
140 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
141 document are to be interpreted as described in RFC 2119 [3].
143 2. SSH Host Key Verification
147 Upon connection to a SSH server, the SSH client MAY look up the SSHFP
148 resource record(s) for the host it is connecting to. If the
149 algorithm and fingerprint of the key received from the SSH server
150 match the algorithm and fingerprint of one of the SSHFP resource
151 record(s) returned from DNS, the client MAY accept the identity of
154 2.2 Implementation Notes
156 Client implementors SHOULD provide a configurable policy used to
157 select the order of methods used to verify a host key. This document
158 defines one method: Fingerprint storage in DNS. Another method
159 defined in the SSH Architecture [6] uses local files to store keys
160 for comparison. Other methods that could be defined in the future
161 might include storing fingerprints in LDAP or other databases. A
165 Schlyter & Griffin Expires March 5, 2004 [Page 3]
167 Internet-Draft DNS and SSH Fingerprints September 2003
170 configurable policy will allow administrators to determine which
171 methods they want to use and in what order the methods should be
172 prioritized. This will allow administrators to determine how much
173 trust they want to place in the different methods.
175 One specific scenario for having a configurable policy is where
176 clients do not use fully qualified host names to connect to servers.
177 In this scenario, the implementation SHOULD verify the host key
178 against a local database before verifying the key via the fingerprint
179 returned from DNS. This would help prevent an attacker from injecting
180 a DNS search path into the local resolver and forcing the client to
181 connect to a different host.
183 2.3 Fingerprint Matching
185 The public key and the SSHFP resource record are matched together by
186 comparing algorithm number and fingerprint.
188 The public key algorithm and the SSHFP algorithm number MUST
191 A message digest of the public key, using the message digest
192 algorithm specified in the SSHFP fingerprint type, MUST match the
198 A public key verified using this method MUST NOT be trusted if the
199 SSHFP resource record (RR) used for verification was not
200 authenticated by a trusted SIG RR.
202 Clients that do validate the DNSSEC signatures themselves SHOULD use
203 standard DNSSEC validation procedures.
205 Clients that do not validate the DNSSEC signatures themselves MUST
206 use a secure transport, e.g. TSIG [9], SIG(0) [10] or IPsec [8],
207 between themselves and the entity performing the signature
210 3. The SSHFP Resource Record
212 The SSHFP resource record (RR) is used to store a fingerprint of a
213 SSH public host key that is associated with a Domain Name System
216 The RR type code for the SSHFP RR is TBA.
221 Schlyter & Griffin Expires March 5, 2004 [Page 4]
223 Internet-Draft DNS and SSH Fingerprints September 2003
226 3.1 The SSHFP RDATA Format
228 The RDATA for a SSHFP RR consists of an algorithm number, fingerprint
229 type and the fingerprint of the public host key.
231 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
232 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
233 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
234 | algorithm | fp type | /
235 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ /
239 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
242 3.1.1 Algorithm Number Specification
244 This algorithm number octet describes the algorithm of the public
245 key. The following values are assigned:
253 Reserving other types requires IETF consensus [4].
255 3.1.2 Fingerprint Type Specification
257 The fingerprint type octet describes the message-digest algorithm
258 used to calculate the fingerprint of the public key. The following
261 Value Fingerprint type
262 ----- ----------------
266 Reserving other types requires IETF consensus [4].
268 For interoperability reasons, as few fingerprint types as possible
269 should be reserved. The only reason to reserve additional types is
270 to increase security.
277 Schlyter & Griffin Expires March 5, 2004 [Page 5]
279 Internet-Draft DNS and SSH Fingerprints September 2003
282 The fingerprint is calculated over the public key blob as described
285 The message-digest algorithm is presumed to produce an opaque octet
286 string output which is placed as-is in the RDATA fingerprint field.
288 3.2 Presentation Format of the SSHFP RR
290 The RDATA of the presentation format of the SSHFP resource record
291 consists of two numbers (algorithm and fingerprint type) followed by
292 the fingerprint itself presented in hex, e.g:
294 host.example. SSHFP 2 1 123456789abcdef67890123456789abcdef67890
296 The use of mnemonics instead of numbers is not allowed.
298 4. Security Considerations
300 Currently, the amount of trust a user can realistically place in a
301 server key is proportional to the amount of attention paid to
302 verifying that the public key presented actually corresponds to the
303 private key of the server. If a user accepts a key without verifying
304 the fingerprint with something learned through a secured channel, the
305 connection is vulnerable to a man-in-the-middle attack.
307 The overall security of using SSHFP for SSH host key verification is
308 dependent on the security policies of the SSH host administrator and
309 DNS zone administrator (in transferring the fingerprint), detailed
310 aspects of how verification is done in the SSH implementation, and in
311 the client's diligence in accessing the DNS in a secure manner.
313 One such aspect is in which order fingerprints are looked up (e.g.
314 first checking local file and then SSHFP). We note that in addition
315 to protecting the first-time transfer of host keys, SSHFP can
316 optionally be used for stronger host key protection.
318 If SSHFP is checked first, new SSH host keys may be distributed by
319 replacing the corresponding SSHFP in DNS.
321 If SSH host key verification can be configured to require SSHFP,
322 SSH host key revocation can be implemented by removing the
323 corresponding SSHFP from DNS.
325 As stated in Section 2.2, we recommend that SSH implementors provide
326 a policy mechanism to control the order of methods used for host key
327 verification. One specific scenario for having a configurable policy
328 is where clients use unqualified host names to connect to servers. In
329 this case, we recommend that SSH implementations check the host key
333 Schlyter & Griffin Expires March 5, 2004 [Page 6]
335 Internet-Draft DNS and SSH Fingerprints September 2003
338 against a local database before verifying the key via the fingerprint
339 returned from DNS. This would help prevent an attacker from injecting
340 a DNS search path into the local resolver and forcing the client to
341 connect to a different host.
343 A different approach to solve the DNS search path issue would be for
344 clients to use a trusted DNS search path, i.e., one not acquired
345 through DHCP or other autoconfiguration mechanisms. Since there is no
346 way with current DNS lookup APIs to tell whether a search path is
347 from a trusted source, the entire client system would need to be
348 configured with this trusted DNS search path.
350 Another dependency is on the implementation of DNSSEC itself. As
351 stated in Section 2.4, we mandate the use of secure methods for
352 lookup and that SSHFP RRs are authenticated by trusted SIG RRs. This
353 is especially important if SSHFP is to be used as a basis for host
354 key rollover and/or revocation, as described above.
356 Since DNSSEC only protects the integrity of the host key fingerprint
357 after it is signed by the DNS zone administrator, the fingerprint
358 must be transferred securely from the SSH host administrator to the
359 DNS zone administrator. This could be done manually between the
360 administrators or automatically using secure DNS dynamic update [11]
361 between the SSH server and the nameserver. We note that this is no
362 different from other key enrollment situations, e.g. a client sending
363 a certificate request to a certificate authority for signing.
365 5. IANA Considerations
367 IANA needs to allocate a RR type code for SSHFP from the standard RR
368 type space (type 44 requested).
370 IANA needs to open a new registry for the SSHFP RR type for public
371 key algorithms. Defined types are:
377 Adding new reservations requires IETF consensus [4].
379 IANA needs to open a new registry for the SSHFP RR type for
380 fingerprint types. Defined types are:
385 Adding new reservations requires IETF consensus [4].
389 Schlyter & Griffin Expires March 5, 2004 [Page 7]
391 Internet-Draft DNS and SSH Fingerprints September 2003
396 [1] Mockapetris, P., "Domain names - concepts and facilities", STD
397 13, RFC 1034, November 1987.
399 [2] Mockapetris, P., "Domain names - implementation and
400 specification", STD 13, RFC 1035, November 1987.
402 [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement
403 Levels", BCP 14, RFC 2119, March 1997.
405 [4] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
406 Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
408 [5] Eastlake, D., "Domain Name System Security Extensions", RFC
411 [6] Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T. and S.
412 Lehtinen, "SSH Protocol Architecture",
413 draft-ietf-secsh-architecture-14 (work in progress), July 2003.
415 [7] Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T. and S.
416 Lehtinen, "SSH Transport Layer Protocol",
417 draft-ietf-secsh-transport-16 (work in progress), July 2003.
419 Informational References
421 [8] Thayer, R., Doraswamy, N. and R. Glenn, "IP Security Document
422 Roadmap", RFC 2411, November 1998.
424 [9] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
425 "Secret Key Transaction Authentication for DNS (TSIG)", RFC
428 [10] Eastlake, D., "DNS Request and Transaction Signatures (
429 SIG(0)s)", RFC 2931, September 2000.
431 [11] Wellington, B., "Secure Domain Name System (DNS) Dynamic
432 Update", RFC 3007, November 2000.
445 Schlyter & Griffin Expires March 5, 2004 [Page 8]
447 Internet-Draft DNS and SSH Fingerprints September 2003
455 Calgary, Alberta T2G 1N8
458 EMail: jakob@openssh.com
459 URI: http://www.openssh.com/
464 7075 Samuel Morse Drive
468 EMail: wgriffin@sparta.com
469 URI: http://www.sparta.com/
471 Appendix A. Acknowledgements
473 The authors gratefully acknowledge, in no particular order, the
474 contributions of the following persons:
501 Schlyter & Griffin Expires March 5, 2004 [Page 9]
503 Internet-Draft DNS and SSH Fingerprints September 2003
506 Intellectual Property Statement
508 The IETF takes no position regarding the validity or scope of any
509 intellectual property or other rights that might be claimed to
510 pertain to the implementation or use of the technology described in
511 this document or the extent to which any license under such rights
512 might or might not be available; neither does it represent that it
513 has made any effort to identify any such rights. Information on the
514 IETF's procedures with respect to rights in standards-track and
515 standards-related documentation can be found in BCP-11. Copies of
516 claims of rights made available for publication and any assurances of
517 licenses to be made available, or the result of an attempt made to
518 obtain a general license or permission for the use of such
519 proprietary rights by implementors or users of this specification can
520 be obtained from the IETF Secretariat.
522 The IETF invites any interested party to bring to its attention any
523 copyrights, patents or patent applications, or other proprietary
524 rights which may cover technology that may be required to practice
525 this standard. Please address the information to the IETF Executive
529 Full Copyright Statement
531 Copyright (C) The Internet Society (2003). All Rights Reserved.
533 This document and translations of it may be copied and furnished to
534 others, and derivative works that comment on or otherwise explain it
535 or assist in its implementation may be prepared, copied, published
536 and distributed, in whole or in part, without restriction of any
537 kind, provided that the above copyright notice and this paragraph are
538 included on all such copies and derivative works. However, this
539 document itself may not be modified in any way, such as by removing
540 the copyright notice or references to the Internet Society or other
541 Internet organizations, except as needed for the purpose of
542 developing Internet standards in which case the procedures for
543 copyrights defined in the Internet Standards process must be
544 followed, or as required to translate it into languages other than
547 The limited permissions granted above are perpetual and will not be
548 revoked by the Internet Society or its successors or assignees.
550 This document and the information contained herein is provided on an
551 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
552 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
553 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
557 Schlyter & Griffin Expires March 5, 2004 [Page 10]
559 Internet-Draft DNS and SSH Fingerprints September 2003
562 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
563 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
568 Funding for the RFC Editor function is currently provided by the
613 Schlyter & Griffin Expires March 5, 2004 [Page 11]