[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TrustKeysFrom .. a host netgroup?
|
From: |
Luke A. Kanies |
|
Subject: |
Re: TrustKeysFrom .. a host netgroup? |
|
Date: |
Fri, 10 Jan 2003 17:08:53 -0600 (CST) |
On Fri, 10 Jan 2003 Mark.Burgess@iu.hio.no wrote:
>
> Why would you want to trust DNS ?
Because DNS performs an incredibly useful function: translating gibberish
numbers into human-readable names.
It's no more or less secure to trust host names than IP addresses as far
as I can tell. They can each be spoofed. In fact, it seems a bit easier
to spoof IP addresses, because all you have to do is turn up another
machine on the same network.
Security rules are different for every environment, and it doesn't really
make sense to have cfengine bound to the rules that work at only some of
the environments.
Personally, I'll take the security trade-off of using a hostname instead
of an IP address, because that way when my admins look at that, they know
specifically what hosts are allowed to do something. If I use IP
addresses, my admins are much less likely to spot an error, because we use
DNS to keep track of which addresses are assigned to which names, rather
than trying to memorize that.
And who's to say that the name is from DNS? It could be from the hosts
file or from LDAP, both of which can be must more trustworthy.
Luke
--
"Don't let your sense of morals prevent you from doing what is right."