Hi, I also have concerns about depending on DNS.
I want to be sure I understand what you are suggesting as an alternative. Is the mapping from IP to hostname operator-defined in a static way? What happens, network-management-wise, when an IP address changes for a given host, or more importantly, is reissued to a different host? David Harrington FutureWei Technologies, a Huawei company [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] > -----Original Message----- > From: Balazs Scheidler [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 20, 2006 3:41 AM > To: Anton Okmianski (aokmians) > Cc: [EMAIL PROTECTED] > Subject: RE: [Syslog] Summary of the syslog/tls issues resolving > > > On Wed, 2006-04-19 at 18:01 -0400, Anton Okmianski (aokmians) wrote: > > Balazs: > > > > I don't think DNS lookup for validating clients will work > in all cases. If > > syslog clients are NAT'ed (and many CPEs are), it does not > make sense for > > them to have a hostname. You will not see the real source > IP on syslog > > server. So, if we recommend it as basic standard binding > its use will be > > limited. > > Yes, I did not like the approach either, I just could not come up with > anything else. > > > > > I agree that server validation is different. In this case > you have the > > ultimate source IP and hostname lookup helps. You are > validating that the > > certificate the server presented is not just signed by > right CA, but also > > authenticates the server you intended to connect to. > > I think we should not rely on DNS in this case either, but rather > require the operator to supply a hostname. > > -- > Bazsi > > > _______________________________________________ > Syslog mailing list > [email protected] > https://www1.ietf.org/mailman/listinfo/syslog > _______________________________________________ Syslog mailing list [email protected] https://www1.ietf.org/mailman/listinfo/syslog
