On 21.5.2014 15:46, Davis Goodman wrote:
--
<http://www.digital-district.ca/>
On May 21, 2014, at 8:17 , Petr Spacek <pspa...@redhat.com
<mailto:pspa...@redhat.com>> wrote:
Hello,
On 21.5.2014 13:31, Davis Goodman wrote:
ldapsearch -D "cn=Directory Manager” -W -LLL -x -b
cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int""
Please note that domain shadowing/hijacking/name collisions are *strongly*
discouraged.
You *should not* use domain names you don't own. (According to
http://www.iana.org/cgi-bin/intreg/intreg.pl
domain name 'ddistrict.int' is not registered. Policy for .int registration is
on http://www.iana.org/domains/int/policy)
It will cause problems with DNSSEC and it also prevents you from accessing
resources on Internet under the colliding name.
I guess that you want to have an internal sub-tree in DNS.
The recommended practice is to use sub-domain of your public (properly
registered) domain. E.g.:
'int.digital-district.ca'
or even shorter
'i.digital-district.ca'
I hope this will help you to avoid serious problems in the future.
Have a nice day!
--
Petr^2 Spacek
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Hi Peter,
Gee, I didn’t even know the .int was a public suffix domain. I guess we’re kind
of stuck now with it now but It’s good to know.
Oh yes, that is the reason why we strongly recommend people to use sub-tree in
*their* domain. That prevent such situation (e.g. when ICANN delegates a new
TLDs.)
Please see
http://www.freeipa.org/page/Deployment_Recommendations
and documents linked from that page for details.
Have a nice day!
--
Petr^2 Spacek
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users