Match on AddressFamily
Marc Haber
mh+openssh-unix-dev at zugschlus.de
Sun Jun 14 02:17:30 AEST 2026
Hi Jochen,
On Mon, Jun 01, 2026 at 09:43:10AM +0200, Jochen Bern wrote:
>Assuming that you *do* use FQDNs and do *not* have them all pre-listed
>in /etc/hosts, how would you *avoid* doing DNS lookups (whose results
>would then get cached locally and incur far lesser cost/delay when
>looked up again), anyway?
I am not sure whether I want to avoid doing DNS lookups. DNS is cheap. I
am happy to do a number of lookups when sshing out. My local recursor is
going to have them cached quickly.
>"Match Host" matches IP addresses string-like, and IIUC does not
>resolve hostnames in advance to try both name *and* IP against the
>matches.
Yes, it sadly doesn't.
>I do wonder, however, whether it'd be worthwhile to restrict the
>meaning of BindAddress to "only if the connection-to-be uses that
>particular address family", *and* add a "none" variant. So that users
>can choose, for IPv4 and IPv6 independently, between "fixed address",
>"any (global?) address", and "refuse this family".
That would avoid all those extra DNS lookups, yes.
Match Host !0.0.0.0/0,* Localnetwork 2001:db8:43fa:bc82::/64
BindAddress 2001:db8:43fa:bc82::1f:100
doesn't work for IPv4-only hosts (github, looking at you again).
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
More information about the openssh-unix-dev
mailing list