[Freeipa-users] be aware of name collision problem
Petr Spacek
pspacek at redhat.com
Wed May 21 13:58:06 UTC 2014
On 21.5.2014 15:46, Davis Goodman wrote:
>
>
>
> --
>
>
>
>
> <http://www.digital-district.ca/>
>
> On May 21, 2014, at 8:17 , Petr Spacek <pspacek at redhat.com
> <mailto:pspacek at redhat.com>> wrote:
>
>> Hello,
>>
>> On 21.5.2014 13:31, Davis Goodman wrote:
>>> ldapsearch -D "cn=Directory Manager” -W -LLL -x -b
>>> cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int""
>>
>> Please note that domain shadowing/hijacking/name collisions are *strongly*
>> discouraged.
>>
>> You *should not* use domain names you don't own. (According to
>> http://www.iana.org/cgi-bin/intreg/intreg.pl
>> domain name 'ddistrict.int' is not registered. Policy for .int registration is
>> on http://www.iana.org/domains/int/policy)
>>
>> It will cause problems with DNSSEC and it also prevents you from accessing
>> resources on Internet under the colliding name.
>>
>>
>> I guess that you want to have an internal sub-tree in DNS.
>> The recommended practice is to use sub-domain of your public (properly
>> registered) domain. E.g.:
>>
>> 'int.digital-district.ca'
>> or even shorter
>> 'i.digital-district.ca'
>>
>> I hope this will help you to avoid serious problems in the future.
>>
>> Have a nice day!
>>
>> --
>> Petr^2 Spacek
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> Hi Peter,
>
> Gee, I didn’t even know the .int was a public suffix domain. I guess we’re kind
> of stuck now with it now but It’s good to know.
Oh yes, that is the reason why we strongly recommend people to use sub-tree in
*their* domain. That prevent such situation (e.g. when ICANN delegates a new
TLDs.)
Please see
http://www.freeipa.org/page/Deployment_Recommendations
and documents linked from that page for details.
Have a nice day!
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list