A fingerprint is used to ensure that the server on which we are going to connect through ssh is the one expected and that its identity has not been altered. This fingerprint must be registered by the user in its list of known hosts (~/.ssh/known_hosts), by which means he gets it and controls its authenticity is usually left to his care.

Here the DNS is used to solve the fingerprint transmission problem, but of course it is assumed that you trust the DNS for that. The SSHFP record is used to associate a hostname with its ssh fingerprint, revoking an obsolete or compromised key is as simple as removing the SSHFP record (its fingerprint).

TTL (Time To Live) associated with the record can delay its revocation.

The following command, to be executed on the selected server, generates records to be placed in the DNS, the keys being taken into account are the one from the server (by default: /etc/ssh/ssh_host_*_key.pub).

1

ssh-keygen -r hostname

It remains to ask the ssh client to take into account the SSHFP records, for this, the following line is inserted either in the global configuration (/etc/ssh/ssh_config) or in the configuration of each user (~/.ssh/config).

1

VerifyHostKeyDNS yes