[Design] Feature request: ipsec showhostkey --reverse

-----BEGIN PGP SIGNED MESSAGE-----
Hi all,

In a Live User Test of doc/quickstart.html, I discovered we could make life easier for our users by having an option like:

        ipsec showhostkey --reverse 192.0.2.11

which would produce a reverse DNS record suitable for that IP, eg. (key shortened for clarity):

	; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
	11.2.0.192.in-addr.arpa.   IN   KEY   0x4200 4 1 AQOF8tZ2...+buFuFn

This option would prevent the user from needing to type the IP in reverse format. It would be more elegant than hand typing, would render that section of the docs more elegant, and would save a good deal of time for that percentage of users who will mistype their reverse DNS address.

There could even be a variation on this option

        ipsec showhostkey --reverse

which would attempt to discover the outgoing/public IP. Depending on the reliability of the discovery mechanism, the latter might cause more trouble than it cures.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

In the same spirit, we might have

        ipsec showhostkey --fqdn myfwd.example.com

to prepare an entry for initiator-only OE, eg.

    ; RSA 2048 bits myfwd.example.com Sat Apr 15 13:53:22 2000     myfwd.example.com. IN KEY 0x4200 4 1 AQOF8tZ2...+buFuFn

This would be helpful in cases where the hostname is not the same as the forward domain that the iOE user has access to. Once again it would reduce the need for hand editing and unneccesary explanations of same, and make our product easier to use.

Perhaps --fqdn (or the more generic term --name) could even be used in combination with other switches (--txt, --reverse) to control the name printed in the first line after "bits"?

What say the designers?

Cheers,

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

Claudia

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPmZnCnDIYXPDEHodAQFamAP+ITAJSWZGiI+80WDkPMtv94jBuQUnuIAA /PRscb9ROppcQVCgGknUyBaVD7VjRgXW2n3u1exiq+arzMKOjD+8ykX/1sInjMIO vsqqiyTnbyY4mddeDupVwfRkP5U+Amnv/hMfB1LIX8mVO8qpkspVwjSWGyVeonGA sbZHFX6CsYM=
=FS41
-----END PGP SIGNATURE-----