Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 11 Sep 2013 23:18:05 -0400 (EDT)
From:      Benjamin Kaduk <kaduk@MIT.EDU>
To:        Ian Lepore <ian@freebsd.org>
Cc:        freebsd-security@freebsd.org, current@freebsd.org
Subject:   Re: HEADS UP: OpenSSH with DNSSEC support in 10
Message-ID:  <alpine.GSO.1.10.1309112314420.16692@multics.mit.edu>
In-Reply-To: <1378913151.1111.613.camel@revolution.hippie.lan>
References:  <86hadre740.fsf@nine.des.no> <1378913151.1111.613.camel@revolution.hippie.lan>
next in thread | previous in thread | raw e-mail | index | archive | help 
  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

---559023410-1512555890-1378955885=:16692
Content-Type: TEXT/PLAIN; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE

On Wed, 11 Sep 2013, Ian Lepore wrote:

> On Wed, 2013-09-11 at 17:00 +0200, Dag-Erling Sm=F8rgrav wrote:
>> OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you
>> disable LDNS in src.conf.  If DNSSEC is enabled, the default setting for
>> VerifyHostKeyDNS is "yes".  This means that OpenSSH will silently trust
>> DNSSEC-signed SSHFP records.  I consider this a lesser evil than "ask"
>> (aka "train the user to type 'yes' and hit enter") and "no" (aka "train
>> the user to type 'yes' and hit enter without even the benefit of a
>> second opinion").
>>
>> DES
>
> So what happens when there is no dns server to consult?  Will every ssh
> connection have to wait for a long dns query timeout?

There is a long precent for ssh waiting on DNS timeouts, with the GSSAPI*=
=20
options.  At least in some cases, ssh could end up waiting for 3 retries=20
against each KDC for each of some six GSSAPI mechanisms, at (IIRC) a=20
3-second timeout each.  This was so bad that corrective action was taken,=
=20
but there are still some delays if DNS is not functioning properly.

-Ben Kaduk
---559023410-1512555890-1378955885=:16692--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.GSO.1.10.1309112314420.16692>