Neither the internal DNS server nor bind9_dlz support SSHFP records. It would be nice if we could get this added to at least one of them. More info: https://tools.ietf.org/html/rfc4255 http://unix.stackexchange.com/questions/121880/how-do-i-generate-sshfp-records
On 2016-03-16 at 12:33 +0000 samba-bugs@samba.org sent off: > Neither the internal DNS server nor bind9_dlz support SSHFP records. It would > be nice if we could get this added to at least one of them. More info: can't we support arbitrary DNS record types even if the Name is not known (yet)? For example old Bind versions don't know TLSA records like this: In recent Bind versions you can define TLSA records like that. _443._tcp.www.example.com. 3600 INT TLSA 3 0 1 685127ee0c5036ff924d5de86beb02182428126df2a2146650265c1f21c8a3a0 with old Bind versions not knowing about TLSA records, this fails. But you can add the generic DNS record by giving the TYPE<number> record type instead of the name: _443._tcp.www.example.com. 3600 IN TYPE52 \# 35 030001685127ee0c5036ff924d5de86beb02182428126df2a2146650265c1f21c8a3a0 AFAIKS only a DNS client has to know about the TLSA record name type only to translate it to the right RR type code. The server just has to accept the TYPE52 or whatever comes in. The RR type code for the SSHFP RR would be 44.
I generally use samba-tool to create DNS records. Doesn't seem like this is possible. Usage: samba-tool dns add <server> <zone> <name> <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data> However, I whipped up a script to use nsupdate, and if I try to use a type of SSHFP, it unsuprisingly gives me an error: named-sdb[1147]: samba_dlz: unsupported record type 'SSHFP' for 'myhost.mydomain.com.' No problem, I'll just use TYPE44 instead. I wasn't sure if the \# was required or if that was a TLSA thing, or a typo, but it seems to cause a failure: update add myhost.mydomain.com 3600 TYPE44 \# 1 1 d3b07384d113edec49eaa6238ad5ff00 invalid rdata format: ran out of space Without the \#, nsupdate appears to successfully send the data to the DNS server, but again, I can see in the logs that the DNS server identifies it as SSHFP and fails to add it. update add myhost.mydomain.com 3600 TYPE44 1 1 d3b07384d113edec49eaa6238ad5ff00 named-sdb[1147]: client 10.10.10.54#36590: updating zone 'mydomain.com/NONE': adding an RR at 'myhost.mydomain.com' SSHFP named-sdb[1147]: samba_dlz: unsupported record type 'SSHFP' for 'myhost.mydomain.com.'
> can't we support arbitrary DNS record types even if the Name is not known > (yet)? ... > AFAIKS only a DNS client has to know about the TLSA record name type only to > translate it to the right RR type code. The server just has to accept the > TYPE52 or whatever comes in. The RR type code for the SSHFP RR would be 44. This is not true for our DNS implementations, as we need to translate records between the on-wire format to the respective storage format that is used in AD. Basically, please stop comparing Samba DNS against BIND. Compare it against the Windows AD DNS server. While we of course can make up our own way to store things in AD, I'm not sure how well Windows AD DNS would deal with those records in a hybrid scenario.
That being said, if anybody wants to build this and then see how Windows handles it, I'm happy to review patches.
It appears that Windows DNS doesn't officially support SSHFP, but it's possible to use nsupdate to add records for it as suggested by Björn, if this is any indication: http://serverfault.com/questions/675413/sshfp-records-on-windows-dns-server That said, my domain controllers are all Samba, so I wouldn't care if it broke Windows DNS server compatibility.
(In reply to Sketch from comment #5) Maybe someone could try the nsupdate trick on a Windows server and see how it stores it in the dnsNode attribute? (I don't have any windows licences anymore)