On Wed, 11 Sep 2013, Ian Lepore wrote: > On Wed, 2013-09-11 at 17:00 +0200, Dag-Erling Smørgrav wrote: >> OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you >> disable LDNS in src.conf. If DNSSEC is enabled, the default setting for >> VerifyHostKeyDNS is "yes". This means that OpenSSH will silently trust >> DNSSEC-signed SSHFP records. I consider this a lesser evil than "ask" >> (aka "train the user to type 'yes' and hit enter") and "no" (aka "train >> the user to type 'yes' and hit enter without even the benefit of a >> second opinion"). >> >> DES > > So what happens when there is no dns server to consult? Will every ssh > connection have to wait for a long dns query timeout? There is a long precent for ssh waiting on DNS timeouts, with the GSSAPI* options. At least in some cases, ssh could end up waiting for 3 retries against each KDC for each of some six GSSAPI mechanisms, at (IIRC) a 3-second timeout each. This was so bad that corrective action was taken, but there are still some delays if DNS is not functioning properly. -Ben KadukReceived on Thu Sep 12 2013 - 01:18:18 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:41 UTC