On Thu, 2021-02-18 at 16:13 +0100, Thorsten Glaser wrote: > On Thu, 18 Feb 2021, Mara Sophie Grosch wrote: > > > > (after all, they could already send it to an entirely different > > > host) but maybe I'm missing something... > > > > I think if an attacker controls DNS, it's a lost game anyway. > > Current > > It’s still a level of indirection that isn’t traditionally used, and > which makes me a bit nervous, The statement is a bit ambiguous, but I think you're saying SRV records aren't traditionally used? That's simply not true. If you look at my own host site, I have SRV records for a couple of protocols: _matrix._tcp.hansenpartnership.com _xmpp-client._tcp.hansenpartnership.com _xmpp-server.._tcp.hansenpartnership.com Whether you should have them for openssh is a different question, but SRV is used as a requirement by several protocols today. Xmpp simply won't work without them unless you happen to have a lucky domain setup and matrix could use the .well-known/ URL instead, but having SRV records is required for setups where WWW isn't run on the domain URL. > especially considering name resolution is not just DNS (think > /etc/hosts for example). /etc/host only resolves A and AAAA records, so it would have no impact on SRV records at all. It's actually annoying on one level because to test out the functionality of SRV records you really do need a DNS setup. James _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
