On 2016-11-21 Adam Thompson wrote:
Sounds like a bug in host(1), which has been deprecated for several years now. Recommended solution: switch to "dig +short" instead.
I know host is outdated and maybe obsolete, but I see/saw no mention that it is deprecated (or unsupported). I guess I could try filing a bug for it to see. I use it mostly out of habit, and to save typing +short :-)
The reason this bug piqued my interest is actually not host(1), it is ssh when connecting to one of the "out" boxes from BOX1. Periodically all ssh attempts to the out box will take about 1-2 mins to startup. If I do ssh -vvv I can see it taking about 10s to do the initial name lookup (meaning it too is fetching more than just A records), but worst is the GSSAPI negotiation takes about 30s for each (of 3) attempts.
GSSAPI always fails to all my boxes it seems (maybe because no kerberos??) but the failures happen in a fraction of a second, so I don't care. Google says to disable all GSSAPI in ssh config but it seems to be there by default now, and it doesn't hurt anything in every case except for this buggy one, so my preference is to leave it as-is and fix the DNS issue. (Besides, it's in my nature to solve the root problem and not resort to workarounds.)
So far, it's just host and ssh that seem to exhibit this behavior, but I guessed there would be more. Maybe that's wrong. There might be a way to force ssh to not do other-than-A lookups, and that would be a possible solution to this... I'll investigate some more.
I can't believe there's not more BIND gurus in the club??