problem with DNS lookups on non-IPv4-only-mode?

Kendell Welch kwelch at useractive.com
Thu Jun 10 17:55:22 EST 2004 

Hi All,

I seems to me that the problem here is that some DNS servers don't respond
to IPv6 DNS queries correctly (query type=aaaa)...perhaps I'm wrong.

Now, I don't know how easy it would be to implement in a cross-platform
mannar, but doesn't it seem reasonable that clients (aka. sshd servers)
which are not configured for IPv6 addresses would have no need for looking
up IPv6 addresses via DNS?

Could sshd determine if the machine was configured with IPv6 addresses,
and if not, simply not make IPv6 DNS requests???  Perhaps I'm ignorant of
common (X)NIX programming (I'm a Windows API programmer,) but it seems to
me that such a solution would avoid this problem.

Thanks!
Kendell


On Wed, 9 Jun 2004, Dan Kaminsky wrote:

> Damien Miller wrote:
>
> >Dan Kaminsky wrote:
> >
> >
> >
> >>2)  Doing a DNS lookup for a non-existent target.
> >>
> >>
> >
> >That will freeze, because there isn't a good cross-platform async
> >DNS
> >
> Well, there's always:
>
> a) Wrapping gethostbyname in a thread (requires server mods)
> b) Executing "host" or "nslookup" over a channel.
>
> >>This is ultimately a fundamental weakness in the sshd architecture,
> >>
> >>
> >
> >I don't think this is an architectural problem - we already do
> >everything else in an event-driven manner, If there was a decent
> >async DNS API we could do this too.
> >
> >
> >
> It's totally an architectural problem, very much like that Cisco fault a
> while back where unresolved packets in unassigned protocols would
> eventually cause the entire system to fall over.  If one channel kills
> the rest, there's an architectural fault.
>
> Now, an easy or elegant to resolve fault, it ain't :-)
>
> >It would be possible to fake one up - fork a child for DNS resolution
> >and have it send back a list of { af, addr }. One would need to be
> >careful wrt limits on the number of such children, reaping them, etc.
> >
> >
> >
> *nods*
>
> >>the only ironclad solution
> >>
> >>
> >
> >For now, don't use hostname is forwarding specifications.
> >
> >
> >
> He needs to; it's insecure to trust local DNS (the #1 problem with
> dynamic forwarding).
>
> --Dan
>

More information about the openssh-unix-dev mailing list