host name resolution, again (krb5-1.3-alpha1 is available)
Nathan Neulinger
nneul at umr.edu
Fri Mar 14 21:43:29 EST 2003
Looks like someone at your site already did some nice work on that front
ripping out the useful dns portions of lbnamed into a module.
http://www.stanford.edu/~riepel/lbnamed/Stanford-DNSserver/
Very cool... Can just follow ISC's load-balancing recommendations and
delegate the host to the balancing dns server and configure it to return
a round-robin targetted cname and the problems with gssapi/telnet/ftp
should be solved without any major security or coding hassle.
-- Nathan
On Fri, 2003-03-14 at 20:16, Nathan Neulinger wrote:
> Ick. It'd be less trouble to just install lbnamed or similar and have it
> randomly return a cname.
>
> Multiple cnames in a response violates the dns rfc's, but as far as I
> know, returning a _single_ cname with a random target should be fine.
>
> -- Nathan
>
> On Fri, 2003-03-14 at 20:10, Russ Allbery wrote:
> > Nathan Neulinger <nneul at umr.edu> writes:
> >
> > > A similar issue exists with other gssapi code. Makes it pretty difficult
> > > to do any kerberos functionality with dns-rotated hostnames.
> >
> > > I've been able to hack around it for telnet (all keys installed on all
> > > the machines sharing the same name), but haven't figured out a way to
> > > make it work with ssh yet, and haven't even bothered with ftp.
> >
> > We wrap telnet with a script that does a forward and reverse DNS lookup to
> > get the "real" name of the current load-balance winner and then passes
> > that to the actual telnet binary. Our PC and Mac code does the
> > equivalent.
--
------------------------------------------------------------
Nathan Neulinger EMail: nneul at umr.edu
University of Missouri - Rolla Phone: (573) 341-4841
Computing Services Fax: (573) 341-4216
More information about the krbdev
mailing list