do i need a dedicated ip address for https?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



The question was:

On Tue, 2010-12-21 at 22:53 -0800, S Mathias wrote:
>> http://help.godaddy.com/article/1054
>> "# Set up SSL protection on your website."
>> is it an inescapable requirement to have a dedicated [not fix] ip
>> address, when i want to use ssl on my domain?

and one reply asseted:

On Wed, 22 Dec 2010, Adam Tauno Williams wrote:
> Yes.
>
> Reverse DNS has to be working.

ehh?  so what? It is perfectly possible to update PTR records 
dynamically, just as with CNAMEs or A records

A CSR countersign by a CA is from information totally ignorant 
of the actual IP's in play [see the req_distinguished_name 
stanza of such requests as to the information needed, below] 
-- indeed, such IPs need not even be allocated, nor the host 
live, before a key file is generated, a CSR submitted to a CA 
and countersigned, and a PEM returned by the CA to the 
requestor

Managing DNS, and placement of a PEM, key and chain into the 
hosts providing a SSL accessible website (mailserver, etc) are 
totally disjunct from the specific IP's a host is at for a 
given time

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Ohio
localityName                    = Locality Name (eg, city)
localityName_default            = Columbus
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = 781 Resolution, LLC
organizationalUnitName          = Organizational Unit Name (eg, section)
commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_max                = 63
emailAddress_default            = domains@xxxxxxxxxxxxxxxxx

The 'commonName' field here is usually the FQDN, and may be an 
A record or a CNAME; validations are optionally done by a 
remote host querying the PTR record values to make sure there 
is a name match in the array returned [a PTR is usually unique 
and one to an IP, but I am not specifically aware of a formal 
RFC requirement of only one PTR record per IP, having looked 
again for such writing some code on DNS content validation for 
an interface that builds zone files in the last few months]

-- Russ herrold
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux