Also added SSHFP support to propellor. Works beautifully -- configure ssh pubkey in one place and it's both deployed to the host's /etc/ssh and to the dns server's SSHFP records.

ssh can be configured to automatically accept SSHFP keys secured with DNSSEC -- no more "host key changed" messages.