Now that the gentoo.org zone is signed with DNSSEC, and the stable version of OpenSSH in the tree supports generating SSHFP records for ECDSA keys, could we get SSHFP records added for all gentoo.org servers? If you've not used this before, you can use ssh-keygen to generate the records to add: # Using spoonbill as an example for i in rsa dsa ecdsa; do ssh-keygen -r spoonbill.gentoo.org -f /etc/ssh/ssh_host_$i_key.pub done This allows users to verify that the key they're seeing when connecting to a host they've never connected to before matches the key they should be seeing, to a reasonable level of certainty. I believe this also works when keys are changed, such as when services move between boxes, etc.
Implemented for most of our core A records now.