SSHFP behind CNAME

I am intensely using the SSH Public Key Fingerprint (SSHFP, RFC 4255) in all of my environments. Since my zones are secured via DNSSEC I got rid of any “authenticity of host ‘xyz’ can’t be established” problems. As long as I am using my central jump host with OpenSSH and the “VerifyHostKeyDNS yes” option I can securely login into any of my servers without any warnings. Great!

However, I encountered a couple of daily problems when using SSHFP. One of them was the question whether SSHFP works behind CNAMEs, that is, when connecting to an  alias. Short answer: yes. Some more details here:

For general information about SSHFP refer to my first post about that security feature respectively the DNSSEC posts at all.

The usage of SSHFP even works when connecting to an alias. Here is an example: I am running a workstation with the name nb10.weberlab.de. And of course I have added SSHFP records for this name. Furthermore I have another DNS alias called mirror.weberlab.de which points to the CNAME nb10.weberlab.de.

Now I am using SSH to connect to the alias at mirror.weberlab.de. This works without any errors because the SSH client uses the AAAA record as well as the SSHFP records from the real machine behind the CNAME record. This is how ssh looks like:

Using dig to query the SSHFP records for the alias shows them as well:

Capturing the DNS requests from SSH with tcpdump/Wireshark you can see queries for AAAA/A records which are answered with CNAME and the actual IPv6 address, as well as the query for SSHFP which is answered with the CNAME and SSHFP records, too. All responses are authenticated by the server (ad flag):

This works out of the design from DNS itself since “the name server includes the CNAME record in the response and restarts the query at the domain name specified in the data field of the CNAME record”, RFC 1034, section 3.6.2. That is: independent of the initial query type (AAAA or SSHFP) the DNS resolver answers with the CNAME record as well as with the queried record type. Hence the SSH client accepts the IP address along with the SSHFP.

Featured image “<- ALIAS” by Steffi Reichert is licensed under CC BY-NC-ND 2.0.

Leave a Reply

Your email address will not be published.