rdns, past and future
Ken Dreyer
ktdreyer at ktdreyer.com
Tue May 26 18:31:44 EDT 2020
On Tue, May 26, 2020 at 3:58 PM Jeffrey Altman
<jaltman at secure-endpoints.com> wrote:
>
> 2. Before the existence of DNS SRV records, CNAME records were the
> only method of offering a service on multiple hosts. However,
> its a poor idea to share the same key across all of the hosts.
I'm curious about this. What makes it a poor idea?
It seems like a very convenient way to scale a service up and down
dynamically quickly when you share a key among all instances.
> Again, disabling "rdns" by default will break an unknown number
> of application clients.
Sure. My point is that it breaks the other way for modern
architectures where PTR records will never be under an application
developer's control. With Kubernetes a service can appear to clients
to move IPs very quickly. I'm not defending Kubernetes or anything
here, I'm wildly speculating that maybe breaking with the past is a
good idea as more applications and developers move in this direction.
- Ken
More information about the Kerberos
mailing list