DNS/RFC/4255について、ここに記述してください。
http://tools.ietf.org/html/rfc4255
Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
The SSH [6] protocol provides secure remote login and other secure
- network services over an insecure network. The security of the connection relies on the server authenticating itself to the client as well as the user authenticating itself to the server.
If a connection is established to a server whose public key is not
- already known to the client, a fingerprint of the key is presented to the user for verification. If the user decides that the fingerprint is correct and accepts the key, the key is saved locally and used for verification for all following connections. While some security- conscious users verify the fingerprint out-of-band before accepting the key, many users blindly accept the presented key.
The method described here can provide out-of-band verification by
- looking up a fingerprint of the server public key in the DNS [1][2] and using DNSSEC [5] to verify the lookup.
In order to distribute the fingerprint using DNS, this document
- defines a new DNS resource record, "SSHFP", to carry the fingerprint.
Basic understanding of the DNS system [1][2] and the DNS security
- extensions [5] is assumed by this document.