On Wed, Feb 26, 2025 at 1:00 PM, Phillip Hallam-Baker <ph...@hallambaker.com > wrote:
> I am currently taking a hard look at mechanisms for using DNS Handles as a > means for exchange of authenticated and non-authenticated contact > information via JSContact. > > As part of that, I wanted to know if there was any *existing* use of the > SSHFP record for publishing SSH credentials and if so whether it was > limited to the server. And yes, I can read the specs, what I am asking > about is actual practice. > I had been using SSHFP records, but eventually stopped. I was managing my machines using Puppet and used the 'facts2sshfp' script ( https://github.com/jpmens/facts2sshfp) to automatically extract and publish these. Eventually I migrated all of my automation to Ansible, and never really got around to re-doing the SSHFP record generation. They did work fairly well, but seeing as I'm basically the only user of my machines, I've "solved" the issue through the following rigorous process: If ssh client prompts me for a fingerprint, I go: 1: "Huh? Ah, yes, this is the first time I'm connecting to this server from this client… I should go check if the finge.. meh, 'tis probably fine…." or 2: "Huh?! Oh, yes, I *just* reinstalled this machine… Someone could be arp-spoofing the address on my LAN and… meh, 'tis probably fine…." W > If there is existing use, it might be something to build on. Otherwise, I > think it best to forget it and apply the same SRV/TXT framework used for > everything else. > > > The basic idea of JSContacts in handles being that I can put @phill. > hallambaker.com on my business card or a publication, someone can pull > the TXT record and get a uri that is a locator, decryptor and authenticator > all in one: > > _jscontact.phill.hallambaker.com. IN TXT "uri=jscontact://mplace2.social/ > egm3-lbnd-upo4-yxha-fy7p-hiim-y4kq" > > That egm3-lbnd-upo4-yxha-fy7p-hiim-y4kq bit is a truncated SHA-3 digest of > the contact data. So if my SSH key is in the contact and the TXT record is > DNSSEC signed, we have at least some authentication of the contact. > > Alternatively, I might put the jscontact link on my business card as a QR > code. So now, you can scan the link and get direct verification. > > mplace2.social is just a resolution hint, a domain that currently has the > contact information. If that is going to be in a paper publication, the > resolution site might have changed but not the contact itself. > > jscontact: @phill.hallambaker.com/egm3-lbnd-upo4-yxha-fy7p-hiim-y4kq > > > Since my publication engine has to populate the TXT records, it can do > SSHFP in theory. But I see no reason to do that if it hasn't already > established a user base. > > _______________________________________________ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations >
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
