Hello! I reported bug #3753 [1], but it had not made any progress so far. I found few minutes to look into openssh-10.0p1, and found the change is rather simple. Because ssh-keygen -l does not print SHA1 for a good reason anymore, I think it should stop generating also SSHFP records with SHA1 digests. These can be signed by DNSSEC and then avoid blind leap of faith when first connecting to a new host. It will make it possible to request sha1 explcitly, but by default it would print only SSHFP algorithm 2 records. it would make just half of records when ssh-keygen -r localhost command is used. $ ssh-keygen -r localhost localhost IN SSHFP 1 1 3a4c9decaa9b93186b1378adf9470057f8713ec6 localhost IN SSHFP 1 2 d4b096c0dbfedabc6312ddf1d859cfd61477e9c279627ceb69ab91785ecc2ea3 localhost IN SSHFP 3 1 8fc2e422305df6da80038e94bd9c76da7877debd localhost IN SSHFP 3 2 67e838434d0660427c923ee080f6b2676716bd544054612da6df03f2ab54e9d5 localhost IN SSHFP 4 1 d46401e7669ddda2b1e4a497afa5e694ee9407dd localhost IN SSHFP 4 2 b7de03f31b349036de5464068771cf8a940da8ace6ec2ad6fa1709a148baffe5 will become just: $ ./ssh-keygen -r localhost localhost IN SSHFP 1 2 d4b096c0dbfedabc6312ddf1d859cfd61477e9c279627ceb69ab91785ecc2ea3 localhost IN SSHFP 3 2 67e838434d0660427c923ee080f6b2676716bd544054612da6df03f2ab54e9d5 localhost IN SSHFP 4 2 b7de03f31b349036de5464068771cf8a940da8ace6ec2ad6fa1709a148baffe5 But can be still requested explicitly and displayed, if someone wants it. $ ./ssh-keygen -O hashalg=sha1 -r localhost localhost IN SSHFP 1 1 3a4c9decaa9b93186b1378adf9470057f8713ec6 localhost IN SSHFP 3 1 8fc2e422305df6da80038e94bd9c76da7877debd localhost IN SSHFP 4 1 d46401e7669ddda2b1e4a497afa5e694ee9407dd Would this simple change be mergable? Is there anything else to do it? This is my first patch sent to this list. Thank you in advance! Petr 1. https://bugzilla.mindrot.org/show_bug.cgi?id=3753 -- Petr Men??k Senior Software Engieer, RHEL Red Hat, https://www.redhat.com/ PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Stop-printing-SHA1-digest-in-SSHFP-output.patch Type: text/x-patch Size: 1231 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250919/b5d21216/attachment-0001.bin>