[ntp:questions] change in behavior from RHEL 5 to Ubuntu 9.10
nomail at example.com
Thu Jun 3 07:36:23 UTC 2010
Hal Murray <hal-usenet at ip-64-139-1-69.sjc.megapath.net> wrote:
> In article <slrni0dh04.9k.kostecke at stasis.kostecke.net>,
> Steve Kostecke <kostecke at ntp.org> writes:
>>restrict lines containing a hostname currently resolve to _one_ IP
>>address. So, you can't use 'restrict default ignore' with a hostname
>>which resolves to multiple IP addresses unless you are able to create a
>>"relaxed" restriction line for every possible IP address for that
> Is there a bug on this?
> What's the right fix? I assume to automagically patch the
> restrict stuff to allow the IP Address returned from DNS
> lookup for the server line, but that doesn't quite right.
> What if I really want to ignore some chunks of IP space?
> Do we need another restrict that does something like ignore
> IP Addresses from DNS lookups?
Configurations like this would only work correctly when there is a
built in DNS cache in the software, so that repeated references to
the same DNS name are guaranteed to result in the same IP address.
That is kind of contrary to the idea that the software should redo
the DNS lookup when the server is lost for some amount of time. The
DNS name from the pool would not return that lost server again, it
would give a different address and at that time one would have to
re-evaluate the restrict line?
I think one should not be so paranoid and use a configuration which
allows enough access and control for the local system (and/or maybe
trusted (monitoring) systems on a local network), plus limited access
and no control for the default system. No need to have an explicit
restrict line for each server.
Real trouble (abuse) should be solved in the firewall anyway.
More information about the questions