sshfp and multiple ports

[Jakob Schlyter <jakob%crt.se@localhost>]

the sshfp draft describes a method that involves looking up a ssh host key
in the dns using a domain name. however, it does not specify how to handle
the case where one host listen to multiple port and uses different host
keys for some or all of these ports.

here are some alternatives on how we could move forward with this issue:


a)  specifiy a ssh dns srv lookup method that maps a dns domain name for
    a service (i.e. not a hostname) to one or more hostnames:ports. the
    sshfp information could be stored at either the srv name or at the
    resulting hostname. example:

	_ssh._tcp.login.example.com.	IN SRV 0 0 22 host.example.com.
	_ssh._tcp.login.example.com.	IN SSHFP ...

	_ssh._tcp.cvs.example.com.	IN SRV 0 0 1022 host.example.com.
	_ssh._tcp.cvs.example.com.	IN SSHFP ...

	host.example.com.		IN A 10.0.0.1
					IN SSHFP ...

    note that the same result could also be acomplished by using different
    hostnames and require the client to specify a port number. what fails
    is if someone would do 'ssh -p 1022 host.example.com' in the example
    about.

b)  add a port field to the sshfp resource record. this would be accused
    of being dns resource record subtyping, something the dns community
    usually does not like since you cannot lookup a key for a single
    hostname:port in one query - all keys for that hostname would always
    be returned.


my suggestion is to leave sshfp as it is, write a document describing (a)
above and not try to solve the single name and multiple ports problem.


happy holidays,

	jakob