On Wed, 2013-09-11 at 17:00 +0200, Dag-Erling Smørgrav wrote: > OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you > disable LDNS in src.conf. If DNSSEC is enabled, the default setting for > VerifyHostKeyDNS is "yes". This means that OpenSSH will silently trust > DNSSEC-signed SSHFP records. I consider this a lesser evil than "ask" > (aka "train the user to type 'yes' and hit enter") and "no" (aka "train > the user to type 'yes' and hit enter without even the benefit of a > second opinion"). > > DES So what happens when there is no dns server to consult? Will every ssh connection have to wait for a long dns query timeout? What if the machine is configured to use only /etc/hosts? What if a DNS server is configured but doesn't respond? For that matter, I just realized I'm a bit unclear on who is querying DNS for this info, the ssh client or the sshd? -- IanReceived on Wed Sep 11 2013 - 13:25:57 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:41 UTC