debops/debops-playbooks

What is the problem with apex domain naming?

jbicha opened this issue · 2 comments

The docs have a warning that server.example.com should be used instead of example.com for host naming.

Please explain more clearly what the issues are with using example.com. I have a simple one-server setup.

Certainly. Asnbile provides three facts which are related to the host's name and DNS address:

  • ansible_hostname - name of a given host, without any dots, for example alpha
  • ansible_domain - the DNS domain a given host is assigned to, usually it's DNS address without the first part, for example example.org
  • ansible_fqdn - the Fully Qualified Domain Name, which is a combination of the ansible_hostname and ansible_domain variables and results in: alpha.example.org

These variables are used very extensively in the DebOps environment. This is because DebOps is designed to work on multiple hosts at once, and using DNS to manage the multiple hosts together is an easy and logical choice for this. Usually, multiple hosts that are members of the same domain share services among each other - APT cache, SMTP gateway, HTTP proxy, etc. Many services rely on a sane DNS configuration, for example PKI infrastructure - without a working DNS domain, applications that use X.509 certificates wouldn't be able to verify that a given FQDN/certificate combination is correct, even if a certificate is trusted. Many other services that are or will be managed by DebOps rely on a correct DNS setup.

To not force you to specify a correct DNS hostname and domain for each host, DebOps roles use the Ansible facts provided for them automatically, and many roles are written in such a way that they expect ansible_domain to have non-empty and sane value - otherwise what's the point, right? Unfortunately, some deployment methods like Ubuntu installer either don't let you configure a domain at all, or configure a static domain unrelated to your environment. You should make the DNS environment sane before applying DebOps configuration onto it - roles will not check the sanity of the environment (old ones, newer try to be clever about it somewhat, but it's not perfect).

Now, to the meat of the problem: If you name your host as example.org as many DebOps for WordPress users tend to do, Ansible will parse the name like this:

  • ansible_hostname = example
  • ansible_domain = org
  • ansible_fqdn = example.org

This is definitely not what you want! Now, Ansible assumes that org is your environment's DNS domain and might look for services on it - smtp.org, cache.org, etc. It's highly unlikely that you will have an entire top-level domain under your control (but hey, maybe you have? I dunno...), therefore you will definitely experience issues with this setup.

You might read a guide about good server naming scheme to further explore this topic.

Thank you for taking the time to respond.

I have a single small personal webserver so there is no load balancing and there are no other machines to handle separate roles. It made sense to me to just name it example.org since that's what it was!

After thinking about this more this past week, I decided to go ahead and name it somethingelse.example.org to better match conventions.

I'll go ahead and close this unless you want to leave it open to add a bit more explanation to the docs.