URL: https://github.com/freeipa/freeipa/pull/281
Title: #281: Accept server host names resolvable only using /etc/hosts

pspacek commented:
This entierly depens on configuration. Imagine following imaginary company 
- public part of DNS tree is `example.com.`
- private part of DNS tree is `corp.`
- resolv.conf contains `corp` in search list

Now an admin is going to install IPA instance for publicly available services 
at server `srv1.ipa.example.com.`.  The name `srv1.ipa.example.com.` is not 
resolvable as --setup-dns option is used. Now, the `dns` module invoked by NSS 
will try to lookup `srv1.ipa.example.com.`. It might (depending on 
configuration) fallback to `srv1.ipa.example.com.corp.` which may accidentally 
exist (as an IPA server for company internal purposes).

This is purely hypotetical, I'm just trying to show that the code is subtly 

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to