Date: Wed, 11 Sep 2013 23:18:05 -0400 (EDT) From: Benjamin Kaduk <kaduk@MIT.EDU> To: Ian Lepore <ian@freebsd.org> Cc: freebsd-security@freebsd.org, current@freebsd.org Subject: Re: HEADS UP: OpenSSH with DNSSEC support in 10 Message-ID: <alpine.GSO.1.10.1309112314420.16692@multics.mit.edu> In-Reply-To: <1378913151.1111.613.camel@revolution.hippie.lan> References: <86hadre740.fsf@nine.des.no> <1378913151.1111.613.camel@revolution.hippie.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 11 Sep 2013, Ian Lepore wrote: > On Wed, 2013-09-11 at 17:00 +0200, Dag-Erling Smørgrav wrote: >> OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you >> disable LDNS in src.conf. If DNSSEC is enabled, the default setting for >> VerifyHostKeyDNS is "yes". This means that OpenSSH will silently trust >> DNSSEC-signed SSHFP records. I consider this a lesser evil than "ask" >> (aka "train the user to type 'yes' and hit enter") and "no" (aka "train >> the user to type 'yes' and hit enter without even the benefit of a >> second opinion"). >> >> DES > > So what happens when there is no dns server to consult? Will every ssh > connection have to wait for a long dns query timeout? There is a long precent for ssh waiting on DNS timeouts, with the GSSAPI* options. At least in some cases, ssh could end up waiting for 3 retries against each KDC for each of some six GSSAPI mechanisms, at (IIRC) a 3-second timeout each. This was so bad that corrective action was taken, but there are still some delays if DNS is not functioning properly. -Ben Kaduk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.GSO.1.10.1309112314420.16692>