Date: Wed, 11 Sep 2013 17:42:45 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Ian Lepore <ian@FreeBSD.org> Cc: freebsd-security@FreeBSD.org, current@FreeBSD.org Subject: Re: HEADS UP: OpenSSH with DNSSEC support in 10 Message-ID: <86d2ofe556.fsf@nine.des.no> In-Reply-To: <1378913151.1111.613.camel@revolution.hippie.lan> (Ian Lepore's message of "Wed, 11 Sep 2013 09:25:51 -0600") References: <86hadre740.fsf@nine.des.no> <1378913151.1111.613.camel@revolution.hippie.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
Ian Lepore <ian@FreeBSD.org> writes: > So what happens when there is no dns server to consult? Will every > ssh connection have to wait for a long dns query timeout? What if the > machine is configured to use only /etc/hosts? If there is no DNS server, no query will be sent. > What if a DNS server is configured but doesn't respond? The DNS request will time out. In the vast majority of cases, you will either have no DNS at all (so no query will be sent), or you will have a functioning DNS server. In a slightly less vast majority of cases, you will not be able to resolve the server's IP address without DNS anyway. > For that matter, I just realized I'm a bit unclear on who is querying > DNS for this info, the ssh client or the sshd? The client - and you can override this in your ~/.ssh/config or on the command line (-oVerifyHostKeyDNS=3Dno). DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86d2ofe556.fsf>