2037 – sshd Causing DNS Queries on ListenAddress when binding to IPV4 and IPV6 addresses on AIX

Bug 2037 - sshd Causing DNS Queries on ListenAddress when binding to IPV4 and IPV6 addresses on AIX

Summary: sshd Causing DNS Queries on ListenAddress when binding to IPV4 and IPV6 addre...

Status:	NEW

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	-current
Hardware:	PPC AIX

Importance:	P5 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-08-28 04:06 AEST by Caleb Lloyd
Modified:	2012-08-28 04:06 AEST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Caleb Lloyd 2012-08-28 04:06:58 AEST

On AIX 7.1, sshd is causing a an AAAA DNS Query to occur on "0.0.0.0" and an A DNS Query to occur on "::" when trying to listen on all IPV4 and IPV6 addresses.  If DNS is not configured, OpenSSH will take a long time to try to resolve this DNS query on startup and on receiving a client connection until the DNS query eventually times out.

ListenAddresses from /etc/ssh/sshd_config:

ListenAddress 0.0.0.0
ListenAddress ::

When a listener address is added to the server, the POSIX function "getaddrinfo" is called from servconf.c

sshd application calls:
getaddrinfo("0.0.0.0") and
getaddrinfo("::"), with hints to be NULL for these 2 calls.

---------------------------------------------------------------------------

For getaddrinfo("0.0.0.0, ...") call,
Internally, it will call these 2 APIs to collect information for both IPv4 and IPv6 addresses since hint is NULL:
gethostbyname2("0.0.0.0", AF_INET6)
gethostbyname2("0.0.0.0", AF_INET)

In gethostbyname2 ("0.0.0.0", AF_INET6);
It's asking for an IPv6 address mapping.
"0.0.0.0" itself is NOT an IPv6 address, so resolver treats it as a hostname.
You will see an AAAA query for hostname "0.0.0.0".

In gethostbyname2 ("0.0.0.0", AF_INET);
It's asking for an IPv4 address mapping.
"0.0.0.0" is an IPv4 address, so resolver will NOT go out to DNS server for answer.
---------------------------------------------------------------------------

For getaddrinfo("::",...) call:
Internally, it will call these 2 APIs to collect information for both IPv4 and IPv6 addresses since hint is NULL:
gethostbyname2("::", AF_INET6)
gethostbyname2("::", AF_INET)

In gethostbyname2("::", AF_INET6);
It is asking for an IPv6 address mapping. "::" itself is an IPv6 address.
So it won't do DNS query.

In gethostbyname2("::", AF_INET);
It is asking for an IPv4 address mapping. "::" is NOT an IPv4 address.
"::" itself is NOT an IPv4 address, so resolver treats it as a hostname.
You will see an A query for hostname "::".

---------------------------------------------------------------------------


The solution would be to define an AddressFamily for each ListenAddress in /etc/ssh/sshd_config like so:
AddressFamily inet 
ListenAddress 0.0.0.0
AddressFamily inet6
ListenAddress ::

Another solution would be to create a configuration option that would let AI_NUMERICHOST be passed to the POSIX getaddrinfo() function.