Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the 'A script to workaround slow ssh connection issues' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A script to workaround slow ssh connection issues
Authored by: sweth on Dec 29, '07 05:57:10AM
You shouldn't be seeing the SRV behaviour in Tiger, just Leopard. For those who care about the details, here's the explanation I sent to someone on a local sysadmin mailing list when they were running into ssh delays right after Leopard was released:

Assuming you are referring to problems when ssh-ing from a Leopard box to other systems, then the problem is probably the new behavior of the getaddrinfo() call in Leopard. Basically, that call in Leopard now uses the RFC-recommended practice of first issuing a DNS SRV record request rather than an A record request, and then falling back to the A record request if the SRV request fails; unfortunately, apparently a lot of DNS servers don't respond to the SRV request w/ an NXDOMAIN as they should, and instead just drop the request, so getaddrinfo() retries the SRV request a few times, and only after those requests time out does it try to A request. (I've heard reports that Leopard may generate DNS requests w/ an invalid RR type, which might explain why the servers being queried aren't responding to them correctly.) So if ssh is using getaddrinfo() rather than gethostbyname/getservbyname, then it would hang like you describe whenever you are pointing to a DNS server that doesn't respond well to the SRV request.

The easiest way to check if that's your problem would be to sniff traffic on port 53 while trying an ssh connection, and seeing if your box is making a SRV request or an A request.

(The DNS-SRV RFC explicitly notes that services whose protocol spec doesn't explicitly discuss using SRV should NOT use SRV, but I believe that LDAP is one of the few services that does discuss using it (and SRV was, I think, originally created by Microsoft folks to support LDAP stuff), so someone apparently compiled ssh in Leopard to use getaddrinfo for the LDAP auth lookup--and apparently was too lazy to put in logic to ONLY use getaddrinfo for an LDAP auth host lookup, and not for non-LDAP auth lookups and/or the actual ssh host lookup.)

AFAIK the only fix is to recompile SSH or to pre-empt the SRV lookup as this hint describes.

[ Reply to This | # ]