[Freeipa-devel] [freeipa PR#281][comment] Accept server host names resolvable only using /etc/hosts
pspacek
freeipa-github-notification at redhat.com
Tue Nov 29 14:46:35 UTC 2016
URL: https://github.com/freeipa/freeipa/pull/281
Title: #281: Accept server host names resolvable only using /etc/hosts
pspacek commented:
"""
This entierly depens on configuration. Imagine following imaginary company setup:
- public part of DNS tree is `example.com.`
- private part of DNS tree is `corp.`
- resolv.conf contains `corp` in search list
Now an admin is going to install IPA instance for publicly available services at server `srv1.ipa.example.com.`. The name `srv1.ipa.example.com.` is not resolvable as --setup-dns option is used. Now, the `dns` module invoked by NSS will try to lookup `srv1.ipa.example.com.`. It might (depending on configuration) fallback to `srv1.ipa.example.com.corp.` which may accidentally exist (as an IPA server for company internal purposes).
This is purely hypotetical, I'm just trying to show that the code is subtly broken.
"""
See the full comment at https://github.com/freeipa/freeipa/pull/281#issuecomment-263589129
More information about the Freeipa-devel
mailing list