slow ssh and ssl ... dns problem?

Kevin Darcy kcd at
Tue Jun 28 22:55:27 UTC 2005

Brad Knowles wrote:

>At 12:33 PM -0400 2005-06-06, Duane Winner wrote:
>> Starting 3 days ago, suddenly it seemed to take a very, very, verly long
>> time for ssh and ssl communications to negotiate between nodes on my
>> network.
>> I have 3 subnets:
>> a LAN (
>> a DMZ (
>> a secured subnet for databases (
>	The problem is almost certainly reverse DNS for your networks. 
>These are RFC-1918 addresses, and while there is a project to serve 
>bogus reverse DNS data  for them (so that the root nameservers don't 
>get buried with this traffic), but if your nameservers can't contact 
>those machines, you're going to have problems.
>	A better solution is to set up your own reverse DNS for your IP 
>addresses, so that you're not dependant on these external servers for 
>your internal DNS.
Moreover, I think it should be a Best Practice for *all* organizations 
to define *all* of the reverse zones corresponding to the RFC 1918 
ranges, i.e. and the 16 zones from through The purpose is to block 
reverse lookups for mistyped and/or misconfigured addresses from being 
forwarded to Internet nameservers. Organizations would still, of course, 
be free to delegate *beneath* one or more of those higher-level zones, 
for maintainability, to optimize replication traffic, or any other 
reason they see fit...

- Kevin

More information about the bind-users mailing list