Use of FQDN in key (Was: Solaris 10)
Douglas E. Engert
deengert at anl.gov
Tue Jan 10 12:00:05 EST 2006
If its one host or your own private network, you don't have to use
DNS, matching /etc/hosts files will do. And you could use unqualified
names but then you could never join the rest of the internet.
Your example impled that you where uisng the internet, but nslookup
can't find phusnikn.net.
Turbo Fredriksson wrote:
> Quoting Ken Raeburn <raeburn at MIT.EDU>:
>
>
>>On Jan 10, 2006, at 03:27, Turbo Fredriksson wrote:
>>
>>>Quoting "Douglas E. Engert" <deengert at anl.gov>:
>>>
>>>>The kadmin/icarus at PHUSNIKN.NET should be kadmin/
>>>>icarus.phusnikn.net at PHUSNIKN.NET
>>>>i.e. host names in Kerberos are always FQDN.
>>>
>>>Just for completeness, my extream curiosity etc. Why EXACTLY is
>>>that. If the
>>>DNS works perfectly (both forward and reverse), then it should be
>>>possible to
>>>NOT have the FQDN... ?
>>
>>There may be hosts from multiple subdomains in one realm. For
>>example, foo.dev.example.com and foo.sales.example.com; if you use
>>only the first component, host/foo at EXAMPLE.COM corresponds to which...?
>>
>>
>>>And why not use IP's (other than if the IP change, the
>>>key is invalid)?
>
>
> Oki, point taken. I'm trying to put this information into my own
> use, and I only have _one_ machine called 'foo', so that/this reason
> isn't valid for _me_.
>
>
>>Isn't that a pretty good reason right there?
>
>
> Absolutly! I was wondering if there where any other, not so obvious
> ones :)
>
>
>>Also, a host may have multiple IP addresses. (Then again, it may
>>also have multiple names....)
>
>
> True, but (again), in my usage there's only _one_ 'primary' IP, the
> rest is "sub-IP's" (used for SSL sites etc, nothing else).
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list