Date: Wed, 11 Sep 2013 10:16:21 -0600 From: Ian Lepore <ian@FreeBSD.org> To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= <des@des.no> Cc: current@FreeBSD.org Subject: Re: HEADS UP: OpenSSH with DNSSEC support in 10 Message-ID: <1378916181.1111.617.camel@revolution.hippie.lan> In-Reply-To: <86d2ofe556.fsf@nine.des.no> References: <86hadre740.fsf@nine.des.no> <1378913151.1111.613.camel@revolution.hippie.lan> <86d2ofe556.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 2013-09-11 at 17:42 +0200, Dag-Erling Sm=F8rgrav wrote: > Ian Lepore <ian@FreeBSD.org> writes: > > So what happens when there is no dns server to consult? Will every > > ssh connection have to wait for a long dns query timeout? What if th= e > > machine is configured to use only /etc/hosts? >=20 > If there is no DNS server, no query will be sent. >=20 > > What if a DNS server is configured but doesn't respond? >=20 > The DNS request will time out. >=20 > In the vast majority of cases, you will either have no DNS at all (so n= o > query will be sent), or you will have a functioning DNS server. In a > slightly less vast majority of cases, you will not be able to resolve > the server's IP address without DNS anyway. >=20 > > For that matter, I just realized I'm a bit unclear on who is querying > > DNS for this info, the ssh client or the sshd? >=20 > The client - and you can override this in your ~/.ssh/config or on the > command line (-oVerifyHostKeyDNS=3Dno). >=20 > DES > --=20 Thanks. If this is client-side I'm much less scared by it. At $work we have embedded systems with less than full network functionality, often including either /etc/hosts usage or worse, sometimes a dns is configured but unreachable, and we ssh into them a lot for development. -- Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1378916181.1111.617.camel>