SRV lookup support (Bugzilla 2217)

James Bottomley James.Bottomley at HansenPartnership.com
Fri Feb 19 06:22:50 AEDT 2021


On Thu, 2021-02-18 at 16:13 +0100, Thorsten Glaser wrote:
> On Thu, 18 Feb 2021, Mara Sophie Grosch wrote:
> 
> > > (after all, they could already send it to an entirely different
> > > host) but maybe I'm missing something...
> > 
> > I think if an attacker controls DNS, it's a lost game anyway.
> > Current
> 
> It’s still a level of indirection that isn’t traditionally used, and
> which makes me a bit nervous,

The statement is a bit ambiguous, but I think you're saying SRV records
aren't traditionally used?  That's simply not true.  If you look at my
own host site, I have SRV records for a couple of protocols:

_matrix._tcp.hansenpartnership.com
_xmpp-client._tcp.hansenpartnership.com
_xmpp-server.._tcp.hansenpartnership.com

Whether you should have them for openssh is a different question, but
SRV is used as a requirement by several protocols today.  Xmpp simply
won't work without them unless you happen to have a lucky domain setup
and matrix could use the .well-known/ URL instead, but having SRV
records is required for setups where WWW isn't run on the domain URL.

>  especially considering name resolution is not just DNS (think
> /etc/hosts for example).

/etc/host only resolves A and AAAA records, so it would have no impact
on SRV records at all.  It's actually annoying on one level because to
test out the functionality of SRV records you really do need a DNS
setup.

James




More information about the openssh-unix-dev mailing list