zlacker

[return to "Understanding DNS Resolution on Linux and Kubernetes"]
1. szszrk+Kx2[view] [source] 2025-03-24 14:40:29
>>fanf2+(OP)
> The Kubernetes DNS resolves A-B-C-D.N.pod.cluster.local to A.B.C.D, as long as A.B.C.D is a valid IP address and N is an existing namespace. Let’s be honest: I don’t know how this serves any purpose, but if you do, please let me know!

You can use that to

- test weird dns setups

- to issue proper TLS certificates (you can do that technically, but it's less known fact and some services like let's encrypt forbid that as their rule)

- to utilize single IP and same port for multiple services (so just a common host/server configuration on typical reverse proxy, optionally with SNI to be used with TLS on top.

◧◩
2. vbezhe+3B7[view] [source] 2025-03-26 11:36:13
>>szszrk+Kx2
I don’t think you can issue proper cert for a private IP. So using dns host name is the only option.
◧◩◪
3. CableN+zE7[view] [source] 2025-03-26 12:07:31
>>vbezhe+3B7
If you control an internal CA you can make certs for anything. I have one for my homelab, and even have a few certs issued for my homelab, which are not for domains i control as well as certs with IPs. The CA is who says you cant do those things, and yes its generally agreed upon for the public internet, certs shouldnt have IPs in them, but if you are operating internally theres nothing stopping you.
◧◩◪◨
4. weinzi+BO7[view] [source] 2025-03-26 13:11:50
>>CableN+zE7
Let's encrypt public internet certs can have IPs in them.

https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/

◧◩◪◨⬒
5. CableN+RU7[view] [source] 2025-03-26 13:52:38
>>weinzi+BO7
Thats a pretty recent change, only 2 months ago. I wasnt aware of that, and you usually wont find that woth other CAs.

Im not sure i like the public internet with ip certs. I do it at home because sometimes dns be down and have some good internal uses. But, shouldnt be public. Imagine firing up a /24 on linode, requesting certs on every ip, then releasing the ips, and saving the certs. Another linode account would later get an ip in that range, and then you can freely mitm the linode site by ip. Im making a number of 'magical' things in between this, of course, but, it seems allowing an IP from a public CA could be a terrible thing. The only saving grace in this case is the short lifetime of the certs, however, im not a fan of that either.

As an aside, im starting to get squinty eyes relating to LE, both things they announce in that article, are things that greatly affect the internet at large. I see it as something google would pull to ensure dominance by lock-in. Sorry you can no longer change SSL providers because certs only live a few minutes now, and of course you cant afford to not have a cert or no one will see your site. Im exaggerating slightly, but these changes are not something i think should be allowed, and LE shouldve listened to everyone yelling. Sure, allow down to 6 day certs, but that will surely become the maximum soon.

[go to top]