Hi dnsops folks-- This is a minor thing, but something i'd like to see happen more often.
At the WG meeting in November of last year, there was a clear sense in the room that everyone agreed (and maybe had for years?) that OpenSSH's sshd should not be using reverse DNS lookups on client IP addresses as any sort of security check. I reported that discussion to the OpenSSH development mailing list. The next version of OpenSSH (v6.8) is now set to be released with the following change: * sshd(8): UseDNS now defaults to 'no'. Configurations that match against the client host name (via sshd_config or authorized_keys) may need to re-enable it or convert to matching against addresses. http://marc.info/?l=openssh-unix-dev&m=142438449111563&w=2 If there are other instances of popular software that does unreasonable or unsafe things with the DNS by default, please reach out to the developers of that software and encourage them to change. Developers do listen, and we can improve the state of the network by engaging with other implementors. :) If you're not sure who to contact for a particular piece of software, I'm happy to help you try to find the right channels for discussion. Regards, --dkg (i'm not subscribed to dnsops, please cc me on replies you want me to see) _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
