Date: Wed, 11 Sep 2013 09:25:51 -0600 From: Ian Lepore <ian@FreeBSD.org> To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= <des@des.no> Cc: freebsd-security@FreeBSD.org, current@FreeBSD.org Subject: Re: HEADS UP: OpenSSH with DNSSEC support in 10 Message-ID: <1378913151.1111.613.camel@revolution.hippie.lan> In-Reply-To: <86hadre740.fsf@nine.des.no> References: <86hadre740.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 2013-09-11 at 17:00 +0200, Dag-Erling Sm=F8rgrav wrote: > OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you > disable LDNS in src.conf. If DNSSEC is enabled, the default setting fo= r > VerifyHostKeyDNS is "yes". This means that OpenSSH will silently trust > DNSSEC-signed SSHFP records. I consider this a lesser evil than "ask" > (aka "train the user to type 'yes' and hit enter") and "no" (aka "train > the user to type 'yes' and hit enter without even the benefit of a > second opinion"). >=20 > DES So what happens when there is no dns server to consult? Will every ssh connection have to wait for a long dns query timeout? What if the machine is configured to use only /etc/hosts? What if a DNS server is configured but doesn't respond? For that matter, I just realized I'm a bit unclear on who is querying DNS for this info, the ssh client or the sshd? -- Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1378913151.1111.613.camel>