Feature request: Add SSHFP records for bgp.tools, and potential DNS issues

[antonalekseev]

Have you considered adding SSHFP records^1 (and consequently DNSSEC) for bgp.tools to make:

❯ =ssh lg@bgp.tools
The authenticity of host 'bgp.tools (185.230.223.150)' can't be established.
[...]

disappear at least with the modern OpenSSH clients?

P.S. When looking for the DS/DSKEY records for the domain I discovered that NS/SOA records across the name servers that serve bgp.tools are inconsistent. Probably it's because you're managing zone data with APIs and not relying on AXFR, still decided to let you know.

❯ host -t ns bgp.tools|cut -d' ' -f4|while read -r ns; do host -t soa bgp.tools $ns; done|grep "^bgp.tools has SOA"|cut -d' ' -f5,7
ns-302.awsdns-37.com. 1
ns-302.awsdns-37.com. 1
default_not_set. 2024050210
ns1.exoscale.ch. 1714668117
ns1.exoscale.ch. 1714668117
ns1.exoscale.ch. 1714668117
ns1.exoscale.ch. 1714668117
ns-302.awsdns-37.com. 1
ns1-35.azure-dns.com. 1
ns1-35.azure-dns.com. 1
ns1-35.azure-dns.com. 1
ns1-35.azure-dns.com. 1
ns-302.awsdns-37.com. 1

[benjojo]

DNSSEC is a no-go with the current (and reasonably new) DNS setup (multi "big" vendor DNSSEC is really hard), and I cannot in good faith put SSHFP records on the zone without DNSSEC