Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record

Damien Miller djm at
Sun Jul 31 04:21:52 EST 2011

Thanks for starting work on this - SSHFP records for ECDSA keys were on
my TODO list, but I haven't yet got around to them.

I briefly skimmed your draft - one question I have is whether it is
better to roll up all the ECDSA key types under one SSHFP RR type.
It would be quite ugly to have to allocate SSHFP RR type numbers for
each possible ECDSA curve type, but using a single one might make
exploitation of SHA256 preimage attacks easier.

The latter is a theoretical concern, so I think a single RR type is
probably correct.

It would probably be best to continue discussion of this on the IETF SSH


On Thu, 28 Jul 2011, Ond?ej Sur? wrote:

> Hi,
> I was sure I sent this to openssh at, but cannot find that email now in my Sent mailbox, so I am sending it to the developers list.
> I took a liberty and wrote an I-D with accompanying patch (with contributions from Ondrej Caletka) to support ECDSA in the SSHFP DNS resource record.
> The I-D is here: (and the source XML here:
> The patch to vanilla 5.8 here:
> Please Cc: me as I am not (and don't intend to be) subscribed to the list.  I will check the archives occasionally, but Cc: would be appreciated.
> Thanks,
> O.
> --
>  Ond?ej Sur?
>  vedouc? v?zkumu/Head of R&D department
>  -------------------------------------------
>  CZ.NIC, z.s.p.o.    --    Laborato?e CZ.NIC
>  Americka 23, 120 00 Praha 2, Czech Republic
>  mailto:ondrej.sury at
>  tel:+420.222745110       fax:+420.222745112
>  -------------------------------------------
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list