> On 26/07/2017, at 3:07 AM, Miroslav Lichvar <mlich...@redhat.com> wrote:
> 
> Right. There may be also AAAA records. To which addresses it should
> apply? The addresses may change over time. Should chronyd try to
> follow the changes? That would be tricky. I generally don't recommend
> using hostnames in allow/deny.

I agree with that. Fixed IPs are more secure and don't require assumptions. My 
point was how they should be interpreted if they are allowed.

The other issue is validation that the prefix is something sensible. ipv6/16 is 
a LOT of addresses and ipv4/128 is wrong :). I guess you are doing that already.

> 
>> In chrony I think name/prefix could mean all hosts in the network defined by 
>> (address & mask) == (host & mask)
> 
> I don't know. To me it doesn't feel right.

:) its mathematically correct but may be confusing for some people.

> 
> I'd like to make a 3.2 prerelease today. I have a "bugfix" commit for
> this in my git. We can revisit this before the final release.

That would be good. Still nothing from Apple on fixing adjtime() but hopefully 
they will get to it soon.

B



Bryan Christianson
br...@whatroute.net




--
To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org
with "unsubscribe" in the subject.
For help email chrony-users-requ...@chrony.tuxfamily.org
with "help" in the subject.
Trouble?  Email listmas...@chrony.tuxfamily.org.

Reply via email to