List Archive: gentoo-mirrors
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On Sun, 21 Mar 2010, Mark Loeser wrote:
> Please make sure that you have mirrorstats.gentoo.org in your whitelists
> for your mirrors. It is a CNAME that points to the machine we have
> monitoring all of the mirrors, so please only check that
> mirrorstats.gentoo.org resolves to who is connecting. If the IP is blocked
> by your mirror, it makes our monitoring much more difficult.
Does the IP change frequently / at all? What you're asking for is
Access rules for incoming traffic (especially for firewalls) typically
require an IP address/network and cannot specify a host by the DNS
hostname. It is probably unhealthy to depend on an external (DNS) query
before deciding whether to permit or deny a packet.
Access rules running at a higher (application) layer may support DNS
hostnames, but not in the way you envision. For example, rsyncd.conf(5)
says hosts.allow can be "a hostname. The hostname as determined by a
reverse lookup will be matched (case insensitive) against the pattern.
Only an exact match is allowed in." So, the current IP of 18.104.22.168
would resolve to magpie.gentoo.org, and that is the name to be specified.
Apache is even more stringent. Specifying a domain name in an Allow
directive "will cause Apache to perform a double reverse DNS lookup on the
client IP address[...]. It will do a reverse DNS lookup on the IP address
to find the associated hostname, and then do a forward lookup on the
hostname to assure that it matches the original IP address. Only if the
forward and reverse DNS are consistent and the hostname matches will
access be allowed."