From owner-freebsd-current@FreeBSD.ORG Wed Sep 11 16:16:25 2013 Return-Path: Delivered-To: current@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 0F893AF1 for ; Wed, 11 Sep 2013 16:16:25 +0000 (UTC) (envelope-from ian@FreeBSD.org) Received: from mho-01-ewr.mailhop.org (mho-03-ewr.mailhop.org [204.13.248.66]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id D82DF267E for ; Wed, 11 Sep 2013 16:16:24 +0000 (UTC) Received: from c-24-8-230-52.hsd1.co.comcast.net ([24.8.230.52] helo=damnhippie.dyndns.org) by mho-01-ewr.mailhop.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1VJn5b-000Fsj-Sq; Wed, 11 Sep 2013 16:16:24 +0000 Received: from [172.22.42.240] (revolution.hippie.lan [172.22.42.240]) by damnhippie.dyndns.org (8.14.3/8.14.3) with ESMTP id r8BGGLJk007356; Wed, 11 Sep 2013 10:16:21 -0600 (MDT) (envelope-from ian@FreeBSD.org) X-Mail-Handler: Dyn Standard SMTP by Dyn X-Originating-IP: 24.8.230.52 X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/sendlabs/outbound_abuse.html for abuse reporting information) X-MHO-User: U2FsdGVkX18biLuUtWMe4KloHU/EdhN8 Subject: Re: HEADS UP: OpenSSH with DNSSEC support in 10 From: Ian Lepore To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= In-Reply-To: <86d2ofe556.fsf@nine.des.no> References: <86hadre740.fsf@nine.des.no> <1378913151.1111.613.camel@revolution.hippie.lan> <86d2ofe556.fsf@nine.des.no> Content-Type: text/plain; charset="ISO-8859-1" Date: Wed, 11 Sep 2013 10:16:21 -0600 Message-ID: <1378916181.1111.617.camel@revolution.hippie.lan> Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by damnhippie.dyndns.org id r8BGGLJk007356 Cc: current@FreeBSD.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Sep 2013 16:16:25 -0000 On Wed, 2013-09-11 at 17:42 +0200, Dag-Erling Sm=F8rgrav wrote: > Ian Lepore writes: > > So what happens when there is no dns server to consult? Will every > > ssh connection have to wait for a long dns query timeout? What if th= e > > machine is configured to use only /etc/hosts? >=20 > If there is no DNS server, no query will be sent. >=20 > > What if a DNS server is configured but doesn't respond? >=20 > The DNS request will time out. >=20 > In the vast majority of cases, you will either have no DNS at all (so n= o > query will be sent), or you will have a functioning DNS server. In a > slightly less vast majority of cases, you will not be able to resolve > the server's IP address without DNS anyway. >=20 > > For that matter, I just realized I'm a bit unclear on who is querying > > DNS for this info, the ssh client or the sshd? >=20 > The client - and you can override this in your ~/.ssh/config or on the > command line (-oVerifyHostKeyDNS=3Dno). >=20 > DES > --=20 Thanks. If this is client-side I'm much less scared by it. At $work we have embedded systems with less than full network functionality, often including either /etc/hosts usage or worse, sometimes a dns is configured but unreachable, and we ssh into them a lot for development. -- Ian