On 02/14/2017 08:40 PM, Alice Wonder wrote: > On 02/14/2017 06:49 AM, Johnny Hughes wrote: > >> >> But as Linux installs become more and more complicated and it is not >> some individual machines in a rack but clouds, clusters, and containers >> with software defined networking and individual segments for specific >> applications spread out within the network, only talking to one another >> .. etc. Well, NM will be much more important. > > All due respect, when we drop KISS it is rarely a good thing. > > Issue I am dealing with right now - all my VMs with linode are CentOS 7. > > Three of them are nameservers, I have to run my own because some of my > sites - I use certificate authorities but do not trust them, DNSSEC with > DANE is a must, and with DNSSEC the only way to make sure I'm the only > one with access to the private signing key is to manage the zone files > myself. > > One of the VMs (in London data center) was recently migrated to a > different machine, I think because of a bad fan in the server. > > NSD never properly came up. After investigation, it is because the IPv6 > address changed. > > Trying to figure out why the IPv6 address changed has been a nightmare. > > Linode support suspects the reason is because the VM is using slaac > private to request the IP address instead of slaac hwaddr - and > suggested that I change the /etc/dhcpcd.conf file. > > Well CentOS 7 doesn't use that, and trying to figure out where in the > mess of /etc/sysconfig/network-scripts the problem is occurring has > caused me much frustration. > > Why the bleep can't stuff like this be simple KISS with simple key=value > configuration files? > > So for now, that particular nameserver is only IPv4 until I figure it > out, and modifying the network scripts to try and figure out how to fix > it raises my blood pressure because if a modification causes the IPv4 > not to work, recovering becomes a real PITA. > _______________________________________________ As far as me not trusting certificate authorities - I read a Netcraft report a year ago or so that estimated about 100 fraudulent TLS certificates that browsers accept as valid are issued every month. PKI is seriously broken, it depends upon trusting certificate authorities that have repeatedly demonstrated they put profit over proper validation before issuing certificates. DNSSEC + DANE is the only viable solution, and DANE really only is secure when you know no one else has access to the private KSK ans ZSK and that pretty much means running your own authoritative nameservers, where a stable IP address is a must and VMs like what linode offers are the most cost effective way of making sure you have enough in geographically diverse locations. It's a shame that Network Manager makes things so difficult, dhcp is how VM hosting service assign the IP addresses and they really shouldn't change.