System Naming Schema
Jan-Frode Myklebust
janfrode at tanso.net
Fri Apr 29 08:34:04 UTC 2011
A couple of problems with CNAMEs for services is that it's hard
to know if the clients are really using them or just the hostname/
ip-address directly, firewall rules might need to be updated whenever
one moves a CNAME from one host to another -- often also quite hard
to keep track of. And changing CNAMEs involves ttls, which f.ex. java
VMs ignore completely by default (networkaddress.cache.ttl=-1).
I would much rather use dedicated extra IP's for the services --
service-names as A-records. And at the same time have iptables on the
host only allow connections to these, and not directly to host's main
IP address.
-jf
More information about the infrastructure
mailing list