From owner-freebsd-current@FreeBSD.ORG  Wed Sep 11 15:42:45 2013
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 4050577E;
 Wed, 11 Sep 2013 15:42:45 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id 028992470;
 Wed, 11 Sep 2013 15:42:44 +0000 (UTC)
Received: from nine.des.no (smtp.des.no [194.63.250.102])
 by smtp-int.des.no (Postfix) with ESMTP id EA9B74945;
 Wed, 11 Sep 2013 15:42:43 +0000 (UTC)
Received: by nine.des.no (Postfix, from userid 1001)
 id 15EC3370B3; Wed, 11 Sep 2013 17:42:45 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Ian Lepore <ian@FreeBSD.org>
Subject: Re: HEADS UP: OpenSSH with DNSSEC support in 10
References: <86hadre740.fsf@nine.des.no>
 <1378913151.1111.613.camel@revolution.hippie.lan>
Date: Wed, 11 Sep 2013 17:42:45 +0200
In-Reply-To: <1378913151.1111.613.camel@revolution.hippie.lan> (Ian Lepore's
 message of "Wed, 11 Sep 2013 09:25:51 -0600")
Message-ID: <86d2ofe556.fsf@nine.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@FreeBSD.org, current@FreeBSD.org
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2013 15:42:45 -0000

Ian Lepore <ian@FreeBSD.org> writes:
> So what happens when there is no dns server to consult?  Will every
> ssh connection have to wait for a long dns query timeout?  What if the
> machine is configured to use only /etc/hosts?

If there is no DNS server, no query will be sent.

> What if a DNS server is configured but doesn't respond?

The DNS request will time out.

In the vast majority of cases, you will either have no DNS at all (so no
query will be sent), or you will have a functioning DNS server.  In a
slightly less vast majority of cases, you will not be able to resolve
the server's IP address without DNS anyway.

> For that matter, I just realized I'm a bit unclear on who is querying
> DNS for this info, the ssh client or the sshd?

The client - and you can override this in your ~/.ssh/config or on the
command line (-oVerifyHostKeyDNS=3Dno).

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no