On Sun, Apr 13, 2014 at 02:06:42PM +0000, David G. Miller wrote: > Be aware that the actual "owner" of the dynamic IP address is still > authoritative for reverse look ups. This means that some uses of a system > with a dynamic IP address are problematic (e.g., mail server) since the > reverse look up fails. Other uses (sshd) in theory work but folks have to Not necessarily fail. eg I do my own dynamic DNS so that "xxx.my.domain" has an A record to my home. But if I do an rDNS for that IP then it returns a verizon.net record. However this is not a problem as long as a forward lookup for that name returns an A record which matches. Anyone who does "xxx.my.domain -> A -> IP -> rDNS -> verizon" and thinks that is broken is doing DNS wrong wrong wrong. You either do xxx.my.domain -> A -> IP OR IP -> rDNS -> verizon -> A -> IP (note: dynamic DNS doesn't even show up here). You never do xxx.my.domain -> A -> IP -> rDNS -> verizon. because that's a misunderstanding of how DNS works and what the rDNS lookup is meant to validate. Where it can fail is if the owner of the IP doesn't have rDNS or the rDNS doesn't match a further A lookup. That's irrelevant to the dynamic DNS record, though. What does confuse some people is a second misunderstanding of DNS; eg "I have xxx.my.domain" but mail is being rejected from it. That's, again, because the dynamic DNS isn't in the question; it's a pure IP->rDNS->A->IP check and you don't own the IP. > continually update their ssh saved keys for that system whenever the IP > address changes. ssh client should manage that for you automatically. It'll know you're connecting to "xxx.my.domain" and the host key will match and it should automatically add a new record to known_hosts for the IP address. (Or you can configure ssh_config to not care). -- rgds Stephen