HEADS UP: OpenSSH with DNSSEC support in 10
Ian Lepore
ian at FreeBSD.org
Wed Sep 11 15:25:57 UTC 2013
On Wed, 2013-09-11 at 17:00 +0200, Dag-Erling Smørgrav wrote:
> OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you
> disable LDNS in src.conf. If DNSSEC is enabled, the default setting for
> VerifyHostKeyDNS is "yes". This means that OpenSSH will silently trust
> DNSSEC-signed SSHFP records. I consider this a lesser evil than "ask"
> (aka "train the user to type 'yes' and hit enter") and "no" (aka "train
> the user to type 'yes' and hit enter without even the benefit of a
> second opinion").
>
> DES
So what happens when there is no dns server to consult? Will every ssh
connection have to wait for a long dns query timeout?
What if the machine is configured to use only /etc/hosts?
What if a DNS server is configured but doesn't respond?
For that matter, I just realized I'm a bit unclear on who is querying
DNS for this info, the ssh client or the sshd?
-- Ian
More information about the freebsd-security
mailing list