diff --git a/debian/changelog b/debian/changelog
index 224f0fe..c54aa16 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+propellor (1.3.2) UNRELEASED; urgency=medium
+
+  * SSHFP records are also generated for CNAMES of hosts.
+
+ -- Joey Hess <id@joeyh.name>  Sun, 04 Jan 2015 21:25:42 -0400
+
 propellor (1.3.1) unstable; urgency=medium
 
   * Fix bug that prevented deploying ssh host keys when the file for the
diff --git a/src/Propellor/Property/Dns.hs b/src/Propellor/Property/Dns.hs
index f3f9cc4..e19d82c 100644
--- a/src/Propellor/Property/Dns.hs
+++ b/src/Propellor/Property/Dns.hs
@@ -80,7 +80,7 @@ setupPrimary zonefile mknamedconffile hosts domain soa rs =
 	baseprop = Property ("dns primary for " ++ domain) satisfy
 		(addNamedConf conf)
 	satisfy = do
-		sshfps <- concat <$> mapM genSSHFP indomain
+		sshfps <- concat <$> mapM (genSSHFP domain) indomain
 		let zone = partialzone
 			{ zHosts = zHosts partialzone ++ rs ++ sshfps }
 		ifM (liftIO $ needupdate zone)
@@ -514,12 +514,16 @@ getNamedConf = asks $ fromNamedConfMap . _namedconf . hostInfo
 -- ssh public keys.
 --
 -- This is done using ssh-keygen, so sadly needs IO.
-genSSHFP :: Host -> Propellor [(BindDomain, Record)]
-genSSHFP h = map (\r -> (AbsDomain hostname, r)) . concat <$> (gen =<< get)
+genSSHFP :: Domain -> Host -> Propellor [(BindDomain, Record)]
+genSSHFP domain h = concatMap mk . concat <$> (gen =<< get)
   where
-	hostname = hostName h
 	get = fromHost [h] hostname Ssh.getPubKey
 	gen = liftIO . mapM genSSHFP' . M.elems . fromMaybe M.empty
+	mk r = map (\d -> (d, r)) (AbsDomain hostname : cnames)
+	cnames = filter (inDomain domain) $
+		mapMaybe getCNAME $ S.toList $ _dns info
+	hostname = hostName h
+	info = hostInfo h
 
 genSSHFP' :: String -> IO [Record]
 genSSHFP' pubkey = withTmpFile "sshfp" $ \tmp tmph -> do