Re: Proper way to identify machines

Mon, 14 Jun 2010 09:44:06 -0700 

On 06/14/2010 11:02 AM, Nicolas Charles wrote:
 > But if we autorise hosts to connect, cfengine could host2ip each host to
 > see if the client is allowed to connect, rather than having the user
 > writing himself the host2ip in the promise
 > I'm a bit lazy sometimes :)

Reverse DNS is simply good DNS practice.  I love to flog the lazy sysadmin 
stereotype at times too, but sometimes being lazy just creates more work for 
you 
later which, at least for this sysadmin, is anathema.  Do it right from the 
beginning instead of creating more work (for me) later.  Efficiency is the best 
course to laziness.

Are you going to list every host that could possibly connect?  You can't use 
wildcards with a scheme like this.  Are you going to do that when you have 
thousands of hosts?

RFC1912 really says it better than I could:

2.1 Inconsistent, Missing, or Bad Data

    Every Internet-reachable host should have a name.  The consequences
    of this are becoming more and more obvious.  Many services available
    on the Internet will not talk to you if you aren't correctly
    registered in the DNS.

    Make sure your PTR and A records match.  For every IP address, there
    should be a matching PTR record in the in-addr.arpa domain.  If a
    host is multi-homed, (more than one IP address) make sure that all IP
    addresses have a corresponding PTR record (not just the first one).
    Failure to have matching PTR and A records can cause loss of Internet
    services similar to not being registered in the DNS at all.  Also,
    PTR records must point back to a valid A record, not a alias defined
    by a CNAME.  It is highly recommended that you use some software
    which automates this checking, or generate your DNS data from a
    database which automatically creates consistent data.



Now I understand this isn't an "Internet-reachable" host, but the principles 
still apply on a private network.  It's much more efficient to do a single 
reverse lookup for an IP when it connects rather than querying, building, and 
storing tables of potentially thousands of hosts that *might* connect.
--
/* Wes Hardin */
_______________________________________________
Help-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/help-cfengine

Reply via email to