A couple of problems with CNAMEs for services is that it's hard to know if the clients are really using them or just the hostname/ ip-address directly, firewall rules might need to be updated whenever one moves a CNAME from one host to another -- often also quite hard to keep track of. And changing CNAMEs involves ttls, which f.ex. java VMs ignore completely by default (networkaddress.cache.ttl=-1). I would much rather use dedicated extra IP's for the services -- service-names as A-records. And at the same time have iptables on the host only allow connections to these, and not directly to host's main IP address. -jf _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
