host keys in DNSSEC? (or DNSCrypt :p) I know that is (was?) a thing. never done it myself indeed, I haven't looked for that yet, but yeah, I thought something along the lines of listing the fingerprints in the web interface SSHFP is what you're thinking of, and yeah it's only "trustworthy" if the domain is signed, and even then only if the resolver checks DNSSEC... (In other words, all depending on your level of paranoia) One might publish a fingerprint on the website, but then there's the whole entire trust chain, starting with DNSSEC and DNS in general, to SSL cert chain trust, to the website/host security itself and whether someone injected malicious content into an otherwise-official page. well, sure, but it would certainly be strictly not worse than not having it :-) and while the trust model of the x509 PKI certainly is questionable, it does do a pretty good job against local attackers Regardless, sshfp verification is off by default (last I checked) so Most Users(tm) aren't going to benefit from it, not unless they already know about it or their system administrator does anyways. I don't say this as a reason not to bother using it, just to point out that Everything Is Awful(tm) i notice most people just delete a key when they see that prompt for changed fingerprint s/most/some/ i notice some people just delete a key when they see that prompt for changed fingerprint