On Sun, Jul 27, 2014 at 05:54:15AM -0700, Kay Sievers wrote: > factory/etc/nsswitch.conf | 6 ++++++ > 1 file changed, 6 insertions(+) > > New commits: > commit ccc6fa0d6b8e3ce5e7508ee8a141ee26f380b4a3 > Author: Kay Sievers <k...@vrfy.org> > Date: Sun Jul 27 14:53:21 2014 +0200 > > factory: nss - add generic config > > diff --git a/factory/etc/nsswitch.conf b/factory/etc/nsswitch.conf > new file mode 100644 > index 0000000..5f2984e > --- /dev/null > +++ b/factory/etc/nsswitch.conf > @@ -0,0 +1,6 @@ > +# This file is part of systemd. > + > +passwd: files > +shadow: files > +group: files > +hosts: files mymachines resolve myhostname Hi Kay,
I know that traditionally myhostname is added at the end. But local configuration should be more trusted than DNS (*). It is also more trusted then guest machines. So imho the right order is files myhostname mymachines resolve (*) One specific example that I've encountered is when local DNS is tied with DHCP server, and registers names automatically. Then a misconfiguration of the DNS server is likely, and it wreaks havoc. Common examples starting to resolve 'localhost' when a computer without a hostname configured (and thus using localhost.localdomain as the fqdn) acquired an address, or resolving the name of a computer to the address of previous lease. Also, since DNS is not (usually) secure against attack over the local network, by giving DNS higher priority, we open up an attack vector where 'localhost' can be spoofed to refer to a different machine, even with a correctly functioning server. There's no valid reason to make the resolution of localhost* names configurable through DNS, so we may just as well do it locally for speed and robustness. The same logic is true for the other names returned by myhostname. Zbyszek _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel