On 06/14/2010 11:02 AM, Nicolas Charles wrote:
> But if we autorise hosts to connect, cfengine could host2ip each host to
> see if the client is allowed to connect, rather than having the user
> writing himself the host2ip in the promise
> I'm a bit lazy sometimes :)
Reverse DNS is simply good DNS practice. I love to flog the lazy sysadmin
stereotype at times too, but sometimes being lazy just creates more work for
you
later which, at least for this sysadmin, is anathema. Do it right from the
beginning instead of creating more work (for me) later. Efficiency is the best
course to laziness.
Are you going to list every host that could possibly connect? You can't use
wildcards with a scheme like this. Are you going to do that when you have
thousands of hosts?
RFC1912 really says it better than I could:
2.1 Inconsistent, Missing, or Bad Data
Every Internet-reachable host should have a name. The consequences
of this are becoming more and more obvious. Many services available
on the Internet will not talk to you if you aren't correctly
registered in the DNS.
Make sure your PTR and A records match. For every IP address, there
should be a matching PTR record in the in-addr.arpa domain. If a
host is multi-homed, (more than one IP address) make sure that all IP
addresses have a corresponding PTR record (not just the first one).
Failure to have matching PTR and A records can cause loss of Internet
services similar to not being registered in the DNS at all. Also,
PTR records must point back to a valid A record, not a alias defined
by a CNAME. It is highly recommended that you use some software
which automates this checking, or generate your DNS data from a
database which automatically creates consistent data.
Now I understand this isn't an "Internet-reachable" host, but the principles
still apply on a private network. It's much more efficient to do a single
reverse lookup for an IP when it connects rather than querying, building, and
storing tables of potentially thousands of hosts that *might* connect.
--
/* Wes Hardin */
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
