Add a SSHFP record to gitlab.com

Problem to solve

Manual verification of ssh host key is tedious and no one does it.

Intended users

People who use the ssh url when interacting with git repos.

Further details

Removal of manual verification is good. A lot of people don't actually bother verifying it so there is a security improvement here too.

Proposal

Add an SSHFP record and populate it with the ssh key fingerprint details used by gitlab.com.

Permissions and Security

The permissions required depend on your DNS hosting service.

Documentation

Some documentation over the use of the record and possible troubleshooting with popular git clients might be good.

What does success look like, and how can we measure that?

Acceptance: "dig +short sshfp gitlab.com" returns something. Success: Popular clients stop asking if the host key is good and no one complains about regressions.

Links / references