Re: HEADS UP: OpenSSH with DNSSEC support in 10

From: Ian Lepore <ian_at_FreeBSD.org>
Date: Wed, 11 Sep 2013 10:16:21 -0600
On Wed, 2013-09-11 at 17:42 +0200, Dag-Erling Smørgrav wrote:
> Ian Lepore <ian_at_FreeBSD.org> writes:
> > So what happens when there is no dns server to consult?  Will every
> > ssh connection have to wait for a long dns query timeout?  What if the
> > machine is configured to use only /etc/hosts?
> 
> If there is no DNS server, no query will be sent.
> 
> > What if a DNS server is configured but doesn't respond?
> 
> The DNS request will time out.
> 
> In the vast majority of cases, you will either have no DNS at all (so no
> query will be sent), or you will have a functioning DNS server.  In a
> slightly less vast majority of cases, you will not be able to resolve
> the server's IP address without DNS anyway.
> 
> > For that matter, I just realized I'm a bit unclear on who is querying
> > DNS for this info, the ssh client or the sshd?
> 
> The client - and you can override this in your ~/.ssh/config or on the
> command line (-oVerifyHostKeyDNS=no).
> 
> DES
> -- 

Thanks.  If this is client-side I'm much less scared by it.  At $work we
have embedded systems with less than full network functionality, often
including either /etc/hosts usage or worse, sometimes a dns is
configured but unreachable, and we ssh into them a lot for development.

-- Ian
Received on Wed Sep 11 2013 - 14:16:25 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:41 UTC