When the taste of TOFU (Trust On First Use) starts to taste pale, blindly eating (accepting) what is put in front of you. It may look, feel, even smell familiar. But can you really be sure? No.
Better let a trusted third party (even chained so) certify whats presented before consuming. Through a SSHFP (*SSH FingerPrint) DNS record, served deliciously verified and backed by DNSSec.
Practical Example
Server reachable via ssh.example.com and uses a ed25519 host key
SSH into the server in question and generate the SSHFP records using ssh-keygen, the host public key.
ssh-keygen -r ssh.example.com -f /etc/ssh/ssh_host_ed25519_key.pub
Example output
ssh.example.com IN SSHFP 4 1 d3b07384d113edec49eaa6238ad5ff00
ssh.example.com IN SSHFP 4 2 0e339bce984d3e1a7887c35d7989f68a94e4a88b6e12ce3e9fd3f8c5a5a7e9b3
Create the DNS records in your DNSSEC signed zone and verify its resolvable.
dig sshfp +dnssec +short ssh.example.com
ssh.example.com IN SSHFP 4 1 D3B07384D113EDEC49EAA6238AD5FF00
ssh.example.com IN SSHFP 4 2 0E339BCE984D3E1A7887C35D7989F68A94E4A88B6E12CE3E9FD3F8C5A5A7E9B3
SSHFP 13 4 300 20250408004201 20250405224201 34505 example.com. JbXsUKaycfQETlUToMDvhM6b6nK4LLnshRqF+B7rmybnm/pFE7j4QvZF 9//mA3HW7f2iRdt3gv6Wa4D+pwkq6w==
The VerifyHostKeyDNS feature is not enabled by default in the SSH client, set it to yes in ~/.ssh/config beneath the host in question.
...
Host ssh.example.com
VerifyHostKeyDNS yes
...
Verify its working by adding a verbose flag when connecting.
...
debug1: Server host key: ssh-ed25519 SHA256:d3b07384d113edec49eaa6238ad5ff00
debug1: verify_host_key_dns: matched SSHFP type 4 fptype 1
debug1: verify_host_key_dns: matched SSHFP type 4 fptype 2
...
root