On Mon, 2005-01-17 at 16:49 -0500, Rachel Elizabeth Dillon wrote: > On Mon, Jan 17, 2005 at 04:40:59AM +0100, Fredrik Tolf wrote: > > I was thinking about adding local hints to our own reverse zones to our > > Bind configs to make reverse lookups work just between our own networks, > > but that will be extremely difficult at best, since he has a dynamic IP. > > We can figure out how to update the forward zones when his IP changes, > > but since updating the reverse zones involves creating an entire new > > zone each time, that solution feels a bit hopeless... :-( > > Making a new zone is not particularly harder than updating an existing > sone. It will lead to a bunch of useless reverse zone files, but you could > write a script to clean those up too. I am assuming that you are running > your own DNS servers here; if not, I am not sure what you would do. If > you are running your own DNS server, you still have to tread carefully > when making yourself the primary source of reverse DNS information, but > I think you should be able to do it. (You should even be able to set up > something that does the updates automatically; I would use Net::DNS in > Perl to do this, but I am sure there are plenty of fine solutions.)
Correct me if I'm wrong now, but it still seems like a rather large thing to do, since a new zone will have to be created every time. To me, it seems like I have to write a script suite that 1. Detects when the IP address changes (OK, I'd have to do that anyway), 2. Updates named.conf automatically, 3. Creates a new zone file, populates it and 4. Notifies a script on the other domain remotely, which then in turn updates the hint info in the other domain's named.conf, by creating and populating a new hint zone. If you know of a better way to fix that, please do tell me. =) However, > > So, is there anyone who has experienced a similar situation before and > > solved it? Is there, by any chance, another way of letting Kerberos > > canonicalize service principal names? > > I've never had to deal with this personally, nor do I know of another way > to canonicalize service principal names; I just happen to have been doing > a lot of work with DNS recently. :) I came up with a fairly simple solution that would be to add, to inetd on each host, a simple program that just echoes to the connecting host what that host's perception of its own FQDN is. Then I'd write a simple nsswitch module for gethostbyaddr (possibly with some kind of config file so that it never tries for hosts that aren't supposed to be part of this) that connects to this service on the address that it is supposed to canonicalize. As I see it, it should work with no security problems. I'm not sure, though, so if anyone can see a problem with this scheme, could you please tell me? ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
