On Dec 19, 2007 4:06 PM, Mike McGrath <mmcgrath@xxxxxxxxxx> wrote: > Mike McGrath wrote: > > Comments? +1's? -1's? I'm basically going for ease of use among the > > admins and since most people "ssh puppet1" instead of "ssh > > puppet1.fedora.phx.redhat.com" I think in our diverse environment it > > will be worth it and is easier then hosting a separate DNS server in > > each of our locations. > > > I forgot to mention one other concern. A MitM attack or DNS poisoning. > This possibility does exist, but exists in our environment as is > anyway. This is something we should look at mitigating but other than > running a DNS server at every site, I'm not totally sure how to fix it. > I consider all of our donations as partnerships. After all, they have > local access to the box. At the same time though it is something we > should count as a risk and mitigate as much as possible. > As far as I can tell the only way to lower the risk of DNS poisoning is local DNS servers. Having them getting DNS files from a central host via a signed methodology would be not much different than /etc/hosts except you can use other tricks and failovers -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
