Stephen Harris <lists at ...> writes: > > On Sun, Apr 13, 2014 at 02:06:42PM +0000, David G. Miller wrote: > > > Be aware that the actual "owner" of the dynamic IP address is still > > authoritative for reverse look ups. This means that some uses of a system > > with a dynamic IP address are problematic (e.g., mail server) since the > > reverse look up fails. Other uses (sshd) in theory work but folks have to > > Not necessarily fail. eg I do my own dynamic DNS so that "xxx.my.domain" > has an A record to my home. But if I do an rDNS for that IP then it > returns a verizon.net record. However this is not a problem as long as > a forward lookup for that name returns an A record which matches. > <SNIP> Interesting. I had to have my ISP add a C record to their DNS for my fixed IP address before most of my e-mails were accepted. I recently also had to add an SPF (sender policy framework) record on my DNS to get my e-mails accepted bu gmail. You could try to manage the SPF record the same way you do other dynamic IP address records but there was a couple of day lag before gmail accepted it when I put it in place. > ssh client should manage that for you automatically. It'll know you're > connecting to "xxx.my.domain" and the host key will match and it should > automatically add a new record to known_hosts for the IP address. (Or > you can configure ssh_config to not care). > Absolutely correct but then you lose the IP checking for a man in the middle attack. This wouldn't be that bad on a fixed IP address but would seem to be a lot riskier on a dynamic IP address. Cheers, Dave