Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 498276 - SSHFP records for gentoo.org servers
Summary: SSHFP records for gentoo.org servers
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Infrastructure
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-16 18:36 UTC by dwfreed
Modified: 2014-01-18 08:30 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description dwfreed 2014-01-16 18:36:53 UTC 
Now that the gentoo.org zone is signed with DNSSEC, and the stable version of OpenSSH in the tree supports generating SSHFP records for ECDSA keys, could we get SSHFP records added for all gentoo.org servers?

If you've not used this before, you can use ssh-keygen to generate the records to add:

# Using spoonbill as an example
for i in rsa dsa ecdsa; do
    ssh-keygen -r spoonbill.gentoo.org -f /etc/ssh/ssh_host_$i_key.pub
done

This allows users to verify that the key they're seeing when connecting to a host they've never connected to before matches the key they should be seeing, to a reasonable level of certainty.  I believe this also works when keys are changed, such as when services move between boxes, etc.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2014-01-18 08:30:51 UTC 
Implemented for most of our core A records now.