On Wed, 11 Sep 2013, Ian Lepore wrote:
On Wed, 2013-09-11 at 17:00 +0200, Dag-Erling Smørgrav wrote:
OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you
disable LDNS in src.conf. If DNSSEC is enabled, the default setting for
VerifyHostKeyDNS is "yes". This means that OpenSSH will silently trust
DNSSEC-signed SSHFP records. I consider this a lesser evil than "ask"
(aka "train the user to type 'yes' and hit enter") and "no" (aka "train
the user to type 'yes' and hit enter without even the benefit of a
second opinion").
DES
So what happens when there is no dns server to consult? Will every ssh
connection have to wait for a long dns query timeout?
There is a long precent for ssh waiting on DNS timeouts, with the GSSAPI*
options. At least in some cases, ssh could end up waiting for 3 retries
against each KDC for each of some six GSSAPI mechanisms, at (IIRC) a
3-second timeout each. This was so bad that corrective action was taken,
but there are still some delays if DNS is not functioning properly.
-Ben Kaduk
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "[email protected]"
