URL: https://github.com/freeipa/freeipa/pull/281
Title: #281: Accept server host names resolvable only using /etc/hosts

pspacek commented:
"""
This entierly depens on configuration. Imagine following imaginary company 
setup:
- public part of DNS tree is `example.com.`
- private part of DNS tree is `corp.`
- resolv.conf contains `corp` in search list

Now an admin is going to install IPA instance for publicly available services 
at server `srv1.ipa.example.com.`.  The name `srv1.ipa.example.com.` is not 
resolvable as --setup-dns option is used. Now, the `dns` module invoked by NSS 
will try to lookup `srv1.ipa.example.com.`. It might (depending on 
configuration) fallback to `srv1.ipa.example.com.corp.` which may accidentally 
exist (as an IPA server for company internal purposes).

This is purely hypotetical, I'm just trying to show that the code is subtly 
broken.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/281#issuecomment-263589129
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to