It did actually break something - Kerberos authentication performs a clientside PTR record lookup against the host you're connecting to, and compares the result against the identity that the server claims to have. If there's a mismatch, then the authentication can't continue. Round-robin PTR records create sporadic Kerberos authentication failures and force client software to fall back on other authentication methods. Ignore what I said about SSL certs, it's incorrect.
An option for the alternative behavior would indeed play nicely with everything. Sorry about going the hypothetical route, I was just wondering if there were any legitimate uses of round-robin PTR in the current approach that I was failing to appreciate. (for my own education) On Mon, Jul 25, 2011 at 9:26 AM, bert hubert <[email protected]>wrote: > On Sat, Jul 23, 2011 at 06:07:44PM -0400, Andrew Boling wrote: > > canonical name. The current implementation causes problems with software > > that uses any form of name validation against PTR records (i.e. SSL certs > or > > Kerberos auth). > > Well.. I don't think that gets you far anyhow. > > > I am aware of the alternatives of using auth-zone or running a > > separate authoritative server for the local domain, so this isn't a show > > stopper for me. Round-robin PTRs do seem a little counter-intuitive > though, > > so I figured it wouldn't hurt to see how others felt about it. > > What we did was copy the behaviour of djbdns and several other tools that > do > it in this way. > > Was your question theoretical or is it actually breaking some things for > you? > > We could of course add a flag to switch behaviour, but I'd only do so if > someone is really hurt by what we do now. > > -- > PowerDNS Website: http://www.powerdns.com/ > PowerDNS Community Website: http://wiki.powerdns.com/ > > > > > > > > As an example, if /etc/hosts contains the following line: > > 192.168.0.1 somehost.mydomain somehost1 somehost2 > > > > Queries against the DNS server will return records like so: > > somehost:/etc/powerdns# host -t PTR 192.168.0.1 > > 1.0.168.192.in-addr.arpa domain name pointer somehost1. > > 1.0.168.192.in-addr.arpa domain name pointer somehost.mydomain. > > 1.0.168.192.in-addr.arpa domain name pointer somehost2. > > somehost:/etc/powerdns# host -t PTR 192.168.0.1 > > 1.0.168.192.in-addr.arpa domain name pointer somehost2. > > 1.0.168.192.in-addr.arpa domain name pointer somehost1. > > 1.0.168.192.in-addr.arpa domain name pointer somehost.mydomain. > > > > > > OS: Debian Squeeze > > Version: 3.2 (OS-supplied binary distro, no recompile) > > > _______________________________________________ > > Pdns-dev mailing list > > [email protected] > > http://mailman.powerdns.com/mailman/listinfo/pdns-dev > >
_______________________________________________ Pdns-dev mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-dev
