On Fri, 20 Feb 2015 14:12:50 -0500 Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote:
> If there are other instances of popular software that does > unreasonable or unsafe things with the DNS by default, I think it is worth noting, again, all OpenSSH does when UseDNS is enabled is a log a message when it detects a connecting client's address and the associated name, if any, do not match. The 'POSSIBLE BREAK-IN ATTEMPT!' string is still part of log message generated in those mismatch cases when UseDNS is enabled (see canohost.c). So the on/off button was set to a different default, but the spirit of your "unreasonable and unsafe" campaign missed affecting change onto a key part of the code. Perhaps you could follow up and advocate a change for that as well? > If there are other instances of popular software that does > unreasonable or unsafe things with the DNS by default, It may be reasonable to advocate that the OpenSSH UseDNS option be disabled by default, but one might ask then, when is it reasonable and safe to use PTR queries and in-addr.arpa/ip6.arpa. Hello, rat hole. John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
