HEADS UP: OpenSSH with DNSSEC support in 10
Ian Lepore
ian at FreeBSD.org
Wed Sep 11 16:16:25 UTC 2013
On Wed, 2013-09-11 at 17:42 +0200, Dag-Erling Smørgrav wrote:
> Ian Lepore <ian at FreeBSD.org> writes:
> > So what happens when there is no dns server to consult? Will every
> > ssh connection have to wait for a long dns query timeout? What if the
> > machine is configured to use only /etc/hosts?
>
> If there is no DNS server, no query will be sent.
>
> > What if a DNS server is configured but doesn't respond?
>
> The DNS request will time out.
>
> In the vast majority of cases, you will either have no DNS at all (so no
> query will be sent), or you will have a functioning DNS server. In a
> slightly less vast majority of cases, you will not be able to resolve
> the server's IP address without DNS anyway.
>
> > For that matter, I just realized I'm a bit unclear on who is querying
> > DNS for this info, the ssh client or the sshd?
>
> The client - and you can override this in your ~/.ssh/config or on the
> command line (-oVerifyHostKeyDNS=no).
>
> DES
> --
Thanks. If this is client-side I'm much less scared by it. At $work we
have embedded systems with less than full network functionality, often
including either /etc/hosts usage or worse, sometimes a dns is
configured but unreachable, and we ssh into them a lot for development.
-- Ian
More information about the freebsd-current
mailing list