I would be asking anyone who says VerifyReverseMapping on by default, and VerifyHostKeyDNS likewise, should justify their position.
Because the collective wisdom I'm seeing here is that its a false benefit, and considering what SSH is, and what it seeks to do its rather sad to be driven down a street which adds little (or nothing) and prevents beneficial outcomes. I agree its pushing back on razor wire, but maybe thats a 'take one for the team' moment. If I knew the people I'd be pushing too. If I find I do know people in this space, I will be. On Wed, Nov 12, 2014 at 11:21 AM, Paul Ebersman <list-dn...@dragon.net> wrote: > > paul> Actually, distros try to use a dir.d/*.conf type structure these > paul> days for exactly this reason. It allows base options that are > paul> untouched to be upgraded even if there are custom user > paul> options. openssn is one of those that unfortunately does not > paul> support that. > > Thanks for the correction/clarification. > > paul> Distros tend to stick to upstream options. So for example if you > paul> want this changed in fedora/rhel, you will need to talk to openssh > paul> because according to their man page (for openssh-6.4p1-5): > > paul> UseDNS Specifies whether sshd(8) should look up the remote > paul> host name and check that the resolved host name for the > paul> remote IP address maps back to the very same IP address. The > paul> default is "yes". > > paul> ps. if you talk to them, please also get them to change the > paul> default for VerifyHostKeyDNS= to "ask". > > I can ask... > > But I'm also finding various "best practice" websites recommending > turning on VerifyReverseMapping. > > Seeing shades of augean stables... > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
