On Sat, 2013-09-14 at 16:03 +0200, Dag-Erling Smørgrav wrote:
> Ian Lepore writes:
> > I just ran into a build error related to this:
> > [...]
> > I find that the attached patch fixes it for me.
> > [...]
> > @@ -1468,7 +1468,7 @@ lib/libcxxrt__L: gnu/lib/libgcc__L
> > lib/libradius l
Ian Lepore writes:
> I just ran into a build error related to this:
> [...]
> I find that the attached patch fixes it for me.
> [...]
> @@ -1468,7 +1468,7 @@ lib/libcxxrt__L: gnu/lib/libgcc__L
> lib/libradius lib/libsbuf lib/libtacplus \
> ${_cddl_lib_libumem} ${_cddl_l
On Wed, 2013-09-11 at 17:00 +0200, Dag-Erling Smørgrav wrote:
> OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you
> disable LDNS in src.conf. If DNSSEC is enabled, the default setting for
> VerifyHostKeyDNS is "yes". This means that OpenSSH will silently trust
> DNSSEC-signed SSH
On Wed, 11 Sep 2013, Ian Lepore wrote:
On Wed, 2013-09-11 at 17:00 +0200, Dag-Erling Smørgrav wrote:
OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you
disable LDNS in src.conf. If DNSSEC is enabled, the default setting for
VerifyHostKeyDNS is "yes". This means that OpenSSH wi
Ian Lepore writes:
> So what happens when there is no dns server to consult? Will every
> ssh connection have to wait for a long dns query timeout? What if the
> machine is configured to use only /etc/hosts?
If there is no DNS server, no query will be sent.
> What if a DNS server is configured
On Wed, Sep 11, 2013, at 11:16, Ian Lepore wrote:
>
> Thanks. If this is client-side I'm much less scared by it. At $work we
> have embedded systems with less than full network functionality, often
> including either /etc/hosts usage or worse, sometimes a dns is
> configured but unreachable, and
On Wed, 2013-09-11 at 17:42 +0200, Dag-Erling Smørgrav wrote:
> Ian Lepore writes:
> > So what happens when there is no dns server to consult? Will every
> > ssh connection have to wait for a long dns query timeout? What if the
> > machine is configured to use only /etc/hosts?
>
> If there is n
OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you
disable LDNS in src.conf. If DNSSEC is enabled, the default setting for
VerifyHostKeyDNS is "yes". This means that OpenSSH will silently trust
DNSSEC-signed SSHFP records. I consider this a lesser evil than "ask"
(aka "train the
On Wed, 2013-09-11 at 17:00 +0200, Dag-Erling Smørgrav wrote:
> OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you
> disable LDNS in src.conf. If DNSSEC is enabled, the default setting for
> VerifyHostKeyDNS is "yes". This means that OpenSSH will silently trust
> DNSSEC-signed SSH
