On Wed, 2006-04-19 at 18:01 -0400, Anton Okmianski (aokmians) wrote: > Balazs: > > I don't think DNS lookup for validating clients will work in all cases. If > syslog clients are NAT'ed (and many CPEs are), it does not make sense for > them to have a hostname. You will not see the real source IP on syslog > server. So, if we recommend it as basic standard binding its use will be > limited.
Yes, I did not like the approach either, I just could not come up with anything else. > > I agree that server validation is different. In this case you have the > ultimate source IP and hostname lookup helps. You are validating that the > certificate the server presented is not just signed by right CA, but also > authenticates the server you intended to connect to. I think we should not rely on DNS in this case either, but rather require the operator to supply a hostname. -- Bazsi _______________________________________________ Syslog mailing list [email protected] https://www1.ietf.org/mailman/listinfo/syslog
