I am currently taking a hard look at mechanisms for using DNS Handles as a means for exchange of authenticated and non-authenticated contact information via JSContact.
As part of that, I wanted to know if there was any *existing* use of the SSHFP record for publishing SSH credentials and if so whether it was limited to the server. And yes, I can read the specs, what I am asking about is actual practice. If there is existing use, it might be something to build on. Otherwise, I think it best to forget it and apply the same SRV/TXT framework used for everything else. The basic idea of JSContacts in handles being that I can put @ phill.hallambaker.com on my business card or a publication, someone can pull the TXT record and get a uri that is a locator, decryptor and authenticator all in one: _jscontact.phill.hallambaker.com. IN TXT "uri=jscontact://mplace2.social/egm3-lbnd-upo4-yxha-fy7p-hiim-y4kq" That egm3-lbnd-upo4-yxha-fy7p-hiim-y4kq bit is a truncated SHA-3 digest of the contact data. So if my SSH key is in the contact and the TXT record is DNSSEC signed, we have at least some authentication of the contact. Alternatively, I might put the jscontact link on my business card as a QR code. So now, you can scan the link and get direct verification. mplace2.social is just a resolution hint, a domain that currently has the contact information. If that is going to be in a paper publication, the resolution site might have changed but not the contact itself. jscontact: @phill.hallambaker.com/egm3-lbnd-upo4-yxha-fy7p-hiim-y4kq Since my publication engine has to populate the TXT records, it can do SSHFP in theory. But I see no reason to do that if it hasn't already established a user base.
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
