Created attachment 2739 [details] the proposed patch getaddrinfo() in several places around OpenSSH results in a name service (DNS) queury. For the detailed list, see below. On Solaris, when the address family specified in the getaddrinfo() hints is AF_UNSPEC, IPv4 and IPv6 queries are sent over the wire. This is regardless IPv4 or IPv6 interface is actually configured on the host. Now some sites configure only IPv4 interfaces on the hosts; and name service responds only to IPv4 queries (IPv6 ones are ignored). This has very grave impact on the getaddrinfo() execution time because IPv6 queries basically timeout. On Solaris, there is AI_ADDRCONFIG flag which can be set for getaddrinfo() hints. It specifies that: "If the AI_ADDRCONFIG flag is specified, IPv4 addresses are returned only if an IPv4 address is configured on the local system, and IPv6 addresses are returned only if an IPv6 address is configured on the local system. For this case, the loopback address is not considered to be as valid as a configured address. For example, when using the DNS, a query for AAAA records should occur only if the node has at least one IPv6 address configured (other than IPv6 loopback) and a query for A records should occur only if the node has at least one IPv4 address configured (other than the IPv4 loopback)." Therefore setting AI_ADDRCONFIG flag for getaddrinfo() hints when address family is AF_UNSPEC helps a lot in this situation. See attached patch for the proposed fix. Regression testing on Solaris went ok. On Linux, OpenSSH builds ok. Unit testing on Solaris: ------------------------ # Setup. Remove IPv6 address: ipadm delete-addr net0/v6 # Watch for DNS requests out: snoop port 53 <local-addr> | grep fake # AAAA means IPv6 lookups are done. # Test connectivity (change hostname every time to avoid caching): ssh fake2 # Cleanup. Eventually enable IPv6 addresses again: ipadm create-addr -T static -a <original-address> net0/v6
Comment on attachment 2739 [details] the proposed patch >+ AC_DEFINE([HAVE_AI_ADDRCONFIG]) If you were going to do this in configure you should be using AC_CHECK_DECLS, but AI_ADDRCONFIG is already a preprocessor symbol so it'd be simpler to just use that in the ifdef. All that said, having this different between portable and openbsd is a maintenance burden. If we're going to do this perhaps it should be done upstream?
(In reply to Ivo Raisr from comment #0) > Now some sites configure only IPv4 interfaces on the hosts; and name > service responds only to IPv4 queries (IPv6 ones are ignored). This > has very grave impact on the getaddrinfo() execution time because > IPv6 queries basically timeout. BTW that behaviour is so broken there's even an RFC for it: https://www.ietf.org/rfc/rfc4074.txt. Maybe they should fix their DNS.
(In reply to Darren Tucker from comment #1) > Comment on attachment 2739 [details] > the proposed patch > > >+ AC_DEFINE([HAVE_AI_ADDRCONFIG]) > > If you were going to do this in configure you should be using > AC_CHECK_DECLS, but AI_ADDRCONFIG is already a preprocessor symbol > so it'd be simpler to just use that in the ifdef. Patch #2 is reworked according to your comment. > All that said, having this different between portable and openbsd is > a maintenance burden. If we're going to do this perhaps it should > be done upstream? I will try. Will go back here if that fails.
Created attachment 2743 [details] the proposed patch #2
The bug was reported "upstream": From Ivo Raisr <ivo.raisr@oracle.com> Subject a small change to OpenSSH upstream Date Fri, 30 Oct 2015 11:04:55 +0100 For details see: http://lists.openbsd.org/cgi-bin/mj_wwwusr?user=ivo.raisr%40oracle.com&passw=F854-3519-0B6F&list=bugs&brief=on&func=archive-get-part&extra=201510/90
closing five year old bug with no followup
closing resolved bugs as of 8.6p1 release