I have an older NETGEAR switch that has annoying habit of using its IP address in URLs that it sends back to the browser. The result can be seen here:
https://www.penurio.us/oops.png I would like to add the switch's IP address to the Subject Alt Name extension of its TLS certificate, which is not currently supported by FreeIPA. I'm interested in trying to add this capability, if there's a chance that my work will be accepted. My initial thought is that an IP address should only be accepted if all of the following are true: 1. One of the hostnames in the Subject Alt Name (or possibly the Common Name) ultimately resolves to that IP address, possibly via one or more CNAMEs. 2. All of the DNS records (A, AAAA, CNAME) involved in #1 are managed by this IPA instance. 3. The reverse DNS record for the IP address is managed by this IPA instance, and it points to an A or AAAA record that is managed by this IPA instance (and contains the correct IP address). Does this make sense? -- ======================================================================== Ian Pilcher arequip...@gmail.com -------- "I grew up before Mark Zuckerberg invented friendship" -------- ======================================================================== _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
