Hi,
if you already have ssh public keys in /etc/ssh/ssh_host_*.pub, you can do
# ipa host-mod --updatedns --sshpubkey "ssh-rsa AAAAB3NzaC..." client.ipa.test
(where the bold text is the content of your .pub file).
Then in order to check what was done:
# ipa dnsrecord-show ipa.test client
Record name: client
A record: 10.0.147.130
SSHFP record: 1 1 2D9747370DF5CEDDE66AC4DC354076326F466A0A, 1 2 0B1FB068265381BE51CEA14D315C3A2647E98BC9672B0640045C9D5131BA404C
You can check that they correspond using
# ssh-keygen -r client.ipa.test -f /etc/ssh/ssh_host_rsa_key.pub
client.ipa.test IN SSHFP 1 1 2d9747370df5cedde66ac4dc354076326f466a0a
client.ipa.test IN SSHFP 1 2 0b1fb068265381be51cea14d315c3a2647e98bc9672b0640045c9d5131ba404c
The fingerprints are also visible using
# ipa host-show client.ipa.test
...
SSH public key fingerprint: SHA256:Cx...
and can be checked using
# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
3072 SHA256:Cx...
Does it help?
flo