The code in OpenSSH is still getting exercised for it.
https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466
--Andrew
On 27 Feb 2025, at 2:00, Phillip Hallam-Baker wrote:
I am currently taking a hard look at mechanisms for using DNS Handles
as a
means for exchange of authenticated and non-authenticated contact
information via JSContact.
As part of that, I wanted to know if there was any *existing* use of
the
SSHFP record for publishing SSH credentials and if so whether it was
limited to the server. And yes, I can read the specs, what I am asking
about is actual practice.
If there is existing use, it might be something to build on.
Otherwise, I
think it best to forget it and apply the same SRV/TXT framework used
for
everything else.
The basic idea of JSContacts in handles being that I can put @
phill.hallambaker.com on my business card or a publication, someone
can
pull the TXT record and get a uri that is a locator, decryptor and
authenticator all in one:
_jscontact.phill.hallambaker.com. IN TXT
"uri=jscontact://mplace2.social/egm3-lbnd-upo4-yxha-fy7p-hiim-y4kq"
That egm3-lbnd-upo4-yxha-fy7p-hiim-y4kq bit is a truncated SHA-3
digest of
the contact data. So if my SSH key is in the contact and the TXT
record is
DNSSEC signed, we have at least some authentication of the contact.
Alternatively, I might put the jscontact link on my business card as a
QR
code. So now, you can scan the link and get direct verification.
mplace2.social is just a resolution hint, a domain that currently has
the
contact information. If that is going to be in a paper publication,
the
resolution site might have changed but not the contact itself.
jscontact: @phill.hallambaker.com/egm3-lbnd-upo4-yxha-fy7p-hiim-y4kq
Since my publication engine has to populate the TXT records, it can do
SSHFP in theory. But I see no reason to do that if it hasn't already
established a user base.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
