SSHFP Record Generator

How to use

1. 1Keep the Generate from key tab selected and paste an OpenSSH public key, such as the contents of a .pub file or a host key from /etc/ssh/ssh_host_ed25519_key.pub.
2. 2Enter the host name the key belongs to, like host.example.com, and an optional TTL. If the key comment is a host name, use the one-click link to fill it in.
3. 3Read off the SHA-1 (type 1) and SHA-256 (type 2) records. Copy a record data line, a full zone-file line, or both lines together.
4. 4Use the verify block to publish and check the record with dig, ssh-keygen -r, and ssh -o VerifyHostKeyDNS=yes, and copy the provider snippet for your DNS host.
5. 5Switch to Parse and explain to paste an existing SSHFP record and confirm the algorithm, hash, and fingerprint length are correct.

About this tool

SSHFP Record Generator turns an SSH public key into the DNS records that let clients verify a host key without the usual trust-on-first-use prompt. An SSHFP record (RFC 4255, with later additions in RFC 6594 and RFC 7479) publishes the fingerprint of a server's SSH host key in DNS, so an SSH client that has VerifyHostKeyDNS enabled can look up the fingerprint and confirm it matches the key the server presents, instead of asking you to eyeball a fingerprint string on first connect. The record carries three fields: an algorithm number that says which key algorithm the host uses (1 for RSA, 2 for DSA, 3 for ECDSA, 4 for Ed25519), a fingerprint type that says which hash was used (1 for SHA-1, 2 for SHA-256), and the fingerprint itself, which is the lowercase hex hash of the raw public key blob. The detail that trips people up is that the fingerprint is computed over the binary key blob, the base64-decoded second field of the public key line, not over the whole authorized_keys entry, and not over the comment. This tool gets that right. Paste an OpenSSH public key, the contents of a .pub file or a host key from /etc/ssh/ssh_host_ed25519_key.pub, and the tool decodes the blob, reads the algorithm from the key type embedded in the wire format, and computes both the SHA-1 and SHA-256 fingerprints in your browser with the Web Crypto API. It outputs the record data, a full zone-file line with the owner name and an optional TTL, the generic TYPE44 representation that some older DNS providers require for record types they do not understand by name, and a short block of commands to publish and verify the record with dig, ssh-keygen -r, and ssh -o VerifyHostKeyDNS=yes. It also recognizes RSA, DSA, ECDSA, and Ed25519 keys, flags when the type in the line does not match the type inside the blob, and validates the host name. A second mode parses an existing SSHFP record: paste a zone-file line or the three bare values and the tool explains each field, names the algorithm and hash, and checks that the fingerprint length matches the hash. Two things are worth knowing for verification to actually work. The client has to opt in with VerifyHostKeyDNS, and the lookup is only trusted automatically when the DNS answer is DNSSEC signed; without DNSSEC, ssh treats a match as advisory and still prompts. Everything runs locally. The keys you paste never leave your browser, no DNS queries are performed, and public keys are safe to share by design, so no private key is ever needed. Useful for sysadmins hardening SSH access, anyone setting up host-key verification through DNS, and people who want SSHFP records for a key without shell access to the server that ssh-keygen -r would require.

Free to use. Works in your browser. No signup, no login.