rdns, past and future

Ken Dreyer ktdreyer at ktdreyer.com
Tue May 26 18:31:44 EDT 2020


On Tue, May 26, 2020 at 3:58 PM Jeffrey Altman
<jaltman at secure-endpoints.com> wrote:
>
>  2. Before the existence of DNS SRV records, CNAME records were the
>     only method of offering a service on multiple hosts.  However,
>     its a poor idea to share the same key across all of the hosts.

I'm curious about this. What makes it a poor idea?

It seems like a very convenient way to scale a service up and down
dynamically quickly when you share a key among all instances.

>     Again, disabling "rdns" by default will break an unknown number
>     of application clients.

Sure. My point is that it breaks the other way for modern
architectures where PTR records will never be under an application
developer's control. With Kubernetes a service can appear to clients
to move IPs very quickly. I'm not defending Kubernetes or anything
here, I'm wildly speculating that maybe breaking with the past is a
good idea as more applications and developers move in this direction.

- Ken


More information about the Kerberos mailing list