SSHFP observation

[Alan Clegg]

On 1/31/19 4:57 PM, Mark Andrews wrote:

> Given type 1 is a SHA-1 fingerprint it isn’t legal.  Named just
> hasn’t added type to length to the parsing code.
> 
> No real SSHFP will be 1 octet long.

While I agree that it's junk, the RFC doesn't give the DNS software the
ability to make that decision from my reading.

There is nothing in the RFC about validating the correctness of the data:

--
   The RDATA of the presentation format of the SSHFP resource record
   consists of two numbers (algorithm and fingerprint type) followed by
   the fingerprint itself, presented in hex, e.g.:

       host.example.  SSHFP 2 1 123456789abcdef67890123456789abcdef67890
--

AlanC