The question was: On Tue, 2010-12-21 at 22:53 -0800, S Mathias wrote: >> http://help.godaddy.com/article/1054 >> "# Set up SSL protection on your website." >> is it an inescapable requirement to have a dedicated [not fix] ip >> address, when i want to use ssl on my domain? and one reply asseted: On Wed, 22 Dec 2010, Adam Tauno Williams wrote: > Yes. > > Reverse DNS has to be working. ehh? so what? It is perfectly possible to update PTR records dynamically, just as with CNAMEs or A records A CSR countersign by a CA is from information totally ignorant of the actual IP's in play [see the req_distinguished_name stanza of such requests as to the information needed, below] -- indeed, such IPs need not even be allocated, nor the host live, before a key file is generated, a CSR submitted to a CA and countersigned, and a PEM returned by the CA to the requestor Managing DNS, and placement of a PEM, key and chain into the hosts providing a SSL accessible website (mailserver, etc) are totally disjunct from the specific IP's a host is at for a given time [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Ohio localityName = Locality Name (eg, city) localityName_default = Columbus 0.organizationName = Organization Name (eg, company) 0.organizationName_default = 781 Resolution, LLC organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 emailAddress = Email Address emailAddress_max = 63 emailAddress_default = domains@xxxxxxxxxxxxxxxxx The 'commonName' field here is usually the FQDN, and may be an A record or a CNAME; validations are optionally done by a remote host querying the PTR record values to make sure there is a name match in the array returned [a PTR is usually unique and one to an IP, but I am not specifically aware of a formal RFC requirement of only one PTR record per IP, having looked again for such writing some code on DNS content validation for an interface that builds zone files in the last few months] -- Russ herrold _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos