New security feature for NorNet Core: SSHFP RRs in the DNS

In order to further improve the security of accessing NorNet Core resources, SSHFP resource records (RFC 4255, RFC 6594, RFC 7479) are now provided by the NorNet DNS servers. Particularly, this means that the DNS entry for the gatekeeper server ( provides the fingerprints of the SSH public keys for this machine. SSHFP RRs are provided for RSA, ECDSA and ED25519 keys with both, SHA1 and SHA-256 hashes.

To query the DNS for the public key fingerprint, use the following SSH option:

ssh -oVerifyHostKeyDNS=yes <user>

Furthermore, SSHFP records are also provided by the internal NorNet DNS as well. For technical reasons (current limitation of the upstream PlanetLab software), only the RSA key fingerprints can be provided for the research nodes.

More information on SSHFP-based SSH security is provided in this article.

Købnhavn 2