Reverse-dns is one of the least reliable forms of host identification one can use. While source IP address isn't much better, it at least requires a full man in the middle or layer-2 compromise. With the default setting in mysql of resolving each and every hostname, one gets a false sense of security. Its quite simple for a dns cache poisoning attack from anywhere to end up allowing somebody to connect from the wrong host.
Also, running with skip-name-resolve means one less step to perform while connecting to the server, resulting in lower connection latency. It also means more reliability, as mysql will continue to function even if its DNS resolvers are down. Even if this option is left on, its reasonable to suggest that mysql can be *started* before the local named that it might use is available for resolving names. Any named that does rely on a local mysqld should be configured, by default, to connect to mysql on the localhost/unix socket anyway, so it won't cause any issues to place it after mysqld for startup. Likewise, mysqld will be functional enough to function for any local service that needs it between starting and a local resolver starting. Here is a debdiff which just removes $named from the Should portions. While I do think skip-name-resolve is actually the better default mode, it will likely break peoples systems on upgrade if it is forcibly turned off, and could even open security holes if certain hostnames have been restricted while others, like '%' have more capabilities. That change would need to go into squeeze+1 after some discussion and possibly include adding a debconf warning/question. diff -u mysql-5.1-5.1.49/debian/mysql-server-5.1.mysql.init mysql-5.1-5.1.49/debian/mysql-server-5.1.mysql.init --- mysql-5.1-5.1.49/debian/mysql-server-5.1.mysql.init +++ mysql-5.1-5.1.49/debian/mysql-server-5.1.mysql.init @@ -4,8 +4,8 @@ # Provides: mysql # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog -# Should-Start: $network $named $time -# Should-Stop: $network $named $time +# Should-Start: $network $time +# Should-Stop: $network $time # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start and stop the mysql database server daemon diff -u mysql-5.1-5.1.49/debian/changelog mysql-5.1-5.1.49/debian/changelog --- mysql-5.1-5.1.49/debian/changelog +++ mysql-5.1-5.1.49/debian/changelog @@ -1,3 +1,10 @@ +mysql-5.1 (5.1.49-1.1) unstable; urgency=low + + * debian/mysql-server-5.1.mysql.init: Remove $named from + Should-Start/Should-Stop (closes: #595120) + + -- Clint Byrum <cl...@ubuntu.com> Thu, 07 Oct 2010 01:02:49 -0700 + mysql-5.1 (5.1.49-1) unstable; urgency=low * New upstream release. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
