Special DNS records

SSHFP records

The IP Register database supports SSHFP records, for automatic ssh host authentication. SSHFP records are specified in RFC 4225 as updated by RFC 6594 and RFC 7479.

Some SSH clients can be configured to trust such fingerprint information from the DNS, especially if it is from a DNSSEC-signed zone (such as cam.ac.uk), instead of (rather uselessly) asking the end-user whether it looks good to them.

At the moment the records have to be created or deleted by using the table_ops web page, selecting object type sshfp. The various fields will hopefully be self-explanatory to those who have read the RFCs mentioned above. SSHFP records can be attached to any existing boxes, vboxes or anames to which the user has access rights. All SSHFP records for a name will need to be removed explicitly before the box, vbox or aname is rescinded, but the rename functions will rename any attached SSHFP records transparently.

TXT records

The IP Register database does not support TXT records, so if you need them set up, you must contact ip-register@uis.cam.ac.uk with details of the records that you need.

Please tell us what the record is for (a common reason is domain authorization or verification for third party suppliers) and how long you need the record to remain in place. Some providers (such as Microsoft) only need verification records temporarily, while others (such as Amazon) require them to remain in place while the service is active.

TXT records are also used for mail authentication and authorization, discussed on another page.

"aname" aliases

There are cases where you need an alias but a CNAME will not work. These include a number of situations which are discussed in detail on other pages:

• web site aliases on bare domain names

• external references from the cam.ac.uk domain

• network access control lists

• round-robin aliases:

  You can ask us to set up an aname to act as a round-robin alias; for example, we use this on the mail servers for mx.cam.ac.uk and smtp.hermes.cam.ac.uk.

TTLs

Updates from the IP Register database are published in the DNS hourly starting at 53 minutes past the hour. The process takes a few minutes. Our central DNS servers get these updates directly.

The standard "time to live" of records in our DNS zones is 1 hour. This is the lifetime for cached records on other DNS servers around the University and elsewhere.

In exceptional circumstances we can adjust the TTL of a few specific records for a limited period.

Wildcards

There can be situations where you need fast provisioning (faster than our 1 hour DNS update frequency) and when a pre-allocated pool of names will not work. In these cases we can set up a wildcard CNAME for you - please talk to ip-register@uis.cam.ac.uk.

The wildcard is implemented outside the IP Register database; to implement matching constraints inside the database, we also create a dummy entry in the database under wildcard.arpa.private.cam.ac.uk.