From owner-freebsd-current@FreeBSD.ORG Wed Sep 11 15:25:57 2013 Return-Path: Delivered-To: current@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 2F88617A; Wed, 11 Sep 2013 15:25:57 +0000 (UTC) (envelope-from ian@FreeBSD.org) Received: from mho-01-ewr.mailhop.org (mho-03-ewr.mailhop.org [204.13.248.66]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 049F4234E; Wed, 11 Sep 2013 15:25:56 +0000 (UTC) Received: from c-24-8-230-52.hsd1.co.comcast.net ([24.8.230.52] helo=damnhippie.dyndns.org) by mho-01-ewr.mailhop.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1VJmIl-0006Ct-MC; Wed, 11 Sep 2013 15:25:55 +0000 Received: from [172.22.42.240] (revolution.hippie.lan [172.22.42.240]) by damnhippie.dyndns.org (8.14.3/8.14.3) with ESMTP id r8BFPp2N007288; Wed, 11 Sep 2013 09:25:51 -0600 (MDT) (envelope-from ian@FreeBSD.org) X-Mail-Handler: Dyn Standard SMTP by Dyn X-Originating-IP: 24.8.230.52 X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/sendlabs/outbound_abuse.html for abuse reporting information) X-MHO-User: U2FsdGVkX187S8EOtombVK278KHwUr7i Subject: Re: HEADS UP: OpenSSH with DNSSEC support in 10 From: Ian Lepore To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= In-Reply-To: <86hadre740.fsf@nine.des.no> References: <86hadre740.fsf@nine.des.no> Content-Type: text/plain; charset="ISO-8859-1" Date: Wed, 11 Sep 2013 09:25:51 -0600 Message-ID: <1378913151.1111.613.camel@revolution.hippie.lan> Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by damnhippie.dyndns.org id r8BFPp2N007288 Cc: freebsd-security@FreeBSD.org, current@FreeBSD.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Sep 2013 15:25:57 -0000 On Wed, 2013-09-11 at 17:00 +0200, Dag-Erling Sm=F8rgrav wrote: > OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you > disable LDNS in src.conf. If DNSSEC is enabled, the default setting fo= r > VerifyHostKeyDNS is "yes". This means that OpenSSH will silently trust > DNSSEC-signed SSHFP records. I consider this a lesser evil than "ask" > (aka "train the user to type 'yes' and hit enter") and "no" (aka "train > the user to type 'yes' and hit enter without even the benefit of a > second opinion"). >=20 > DES So what happens when there is no dns server to consult? Will every ssh connection have to wait for a long dns query timeout? What if the machine is configured to use only /etc/hosts? What if a DNS server is configured but doesn't respond? For that matter, I just realized I'm a bit unclear on who is querying DNS for this info, the ssh client or the sshd? -- Ian