URL: https://github.com/freeipa/freeipa/pull/281 Title: #281: Accept server host names resolvable only using /etc/hosts
pspacek commented: """ This entierly depens on configuration. Imagine following imaginary company setup: - public part of DNS tree is `example.com.` - private part of DNS tree is `corp.` - resolv.conf contains `corp` in search list Now an admin is going to install IPA instance for publicly available services at server `srv1.ipa.example.com.`. The name `srv1.ipa.example.com.` is not resolvable as --setup-dns option is used. Now, the `dns` module invoked by NSS will try to lookup `srv1.ipa.example.com.`. It might (depending on configuration) fallback to `srv1.ipa.example.com.corp.` which may accidentally exist (as an IPA server for company internal purposes). This is purely hypotetical, I'm just trying to show that the code is subtly broken. """ See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263589129
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code