On Wed, 12 Nov 2014, Paul Ebersman wrote:
Yup... There is discussion in a couple of distro web sites on changing
this default but while most novice sysadmins will tend to use distros,
if they upgrade, it doesn't stomp the /etc files. That's usually a
feature. In this case, it means we're going to be living with this bad
default for a while.
Actually, distros try to use a dir.d/*.conf type structure these days
for exactly this reason. It allows base options that are untouched to be
upgraded even if there are custom user options. openssn is one of those
that unfortunately does not support that.
But no reason not to talk to our friends that work on debian/freebsd et
al and have them change the default to at least not make it worse but it
will be around a while.
Distros tend to stick to upstream options. So for example if you want
this changed in fedora/rhel, you will need to talk to openssh because
according to their man page (for openssh-6.4p1-5):
UseDNS Specifies whether sshd(8) should look up the remote host name and
check that the resolved host name for the remote IP address maps
back to the very same IP address. The default is “yes”.
Paul
ps. if you talk to them, please also get them to change the default for
VerifyHostKeyDNS= to "ask".
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
