HEADS UP: OpenSSH with DNSSEC support in 10
Benjamin Kaduk
kaduk at MIT.EDU
Thu Sep 12 03:18:19 UTC 2013
On Wed, 11 Sep 2013, Ian Lepore wrote:
> On Wed, 2013-09-11 at 17:00 +0200, Dag-Erling Smørgrav wrote:
>> OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you
>> disable LDNS in src.conf. If DNSSEC is enabled, the default setting for
>> VerifyHostKeyDNS is "yes". This means that OpenSSH will silently trust
>> DNSSEC-signed SSHFP records. I consider this a lesser evil than "ask"
>> (aka "train the user to type 'yes' and hit enter") and "no" (aka "train
>> the user to type 'yes' and hit enter without even the benefit of a
>> second opinion").
>>
>> DES
>
> So what happens when there is no dns server to consult? Will every ssh
> connection have to wait for a long dns query timeout?
There is a long precent for ssh waiting on DNS timeouts, with the GSSAPI*
options. At least in some cases, ssh could end up waiting for 3 retries
against each KDC for each of some six GSSAPI mechanisms, at (IIRC) a
3-second timeout each. This was so bad that corrective action was taken,
but there are still some delays if DNS is not functioning properly.
-Ben Kaduk
More information about the freebsd-security
mailing list