You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by bu...@apache.org on 2010/11/29 01:21:16 UTC
DO NOT REPLY [Bug 50359] New: DNS caveats and using hostnames vs. IP
addresses
https://issues.apache.org/bugzilla/show_bug.cgi?id=50359
Summary: DNS caveats and using hostnames vs. IP addresses
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: minor
Priority: P2
Component: Documentation
AssignedTo: docs@httpd.apache.org
ReportedBy: calestyo@scientia.net
http://httpd.apache.org/docs/2.2/dns-caveats.html any many other places warn
from using hostnames instead of IP addresses in several directives.
It should be added that this is:
a) ...only partially true, when usgin "foreign" nameserver but having DNSSEC
deployed and used on all relevant zones
=> Then it's at least not possible to trick the server to use "wrong"
addresses, but DoS attacks might still be possible
b) ...totally safe to use hostnames, when using one's own nameservers, if
- connection to is secure (e.g. on the same host, TSIG, DNSSEC, IPsec secure
connection, etc.)
- they're authoritative for the respective zones
c) ...totally safe, when the respective host/domainnames are specified in
/etc/hosts, and that one is used rather than DNS (=> /etc/nsswitch.conf).
I guess it makes sense to note this, as right now, security conscious people
don't use hostnames (because of the warnings) but might find hostnames much
easier in order to make changing IP addresses less elaborate.
e.g. I specify things like:
1.2.3.4 eth0.localhost
in my /etc/hosts and have with that a central point to change my static IPs
(for all services using hostnames).
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
DO NOT REPLY [Bug 50359] DNS caveats and using hostnames vs. IP
addresses
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50359
Rich Bowen <rb...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
--- Comment #1 from Rich Bowen <rb...@apache.org> 2010-12-27 16:25:51 EST ---
I disagree with this bug report. It is not the job of the documentation to
teach the reader how to exploit the server. Nor is it the job of the docs to
list all possible permutations in which the recommended BEST PRACTICE is not
100% necessary. It is, instead, our job to promote best practice configurations
that are the right thing to do in most cases.
By the argument here, we should also list all the scenarios in which it's
probably-mostly-ok to use hostnames in <VirtualHost> declarations too. But, in
fact, we don't ever want to encourage that, because it's not the right thing to
do in most cases, and it increases the support burden when everyone feels that
there's no recommended best practice.
Those who know, and understand, the rules, should probably feel comfortable
breaking them. We're not comfortable encouraging the other 98% to ignore the
rules.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org