* Joshua D. Drake ([EMAIL PROTECTED]) wrote: > On Wed, 2006-12-27 at 16:41 -0500, Stephen Frost wrote: > > I'm inclined towards doing the reverse-DNS of the connecting IP and then > > checking that the forward of that matches. > > Hmm what if it doesn't? Which is the case any many scenario. My thoughts > are:
If it doesn't then it's not allowed, of course. :) > If www.commandprompt.com is allowed, then the ip address 207.173.200.129 > is allowed to connect. > > If we go the reverse way: > > 129.200.173.207.in-addr.arpa name = 129.commandprompt.com. > > Which really isn't that useful imo. While I agree that the way your reverse DNS has been done isn't very useful, I don't feel that such a setup should be encouraged or accomedated by an authorization system. There's a couple of reasons to go with reverse DNS: #1: www.commandprompt.com could legitimately map to multiple IP addresses #2: You may not be able to see all the addresses it maps to at a given time without a bunch of work (potentially requiring multiple look-ups) #3: There's pretty much no circumstance which makes sense for an IP address to reverse to multiple host names #4: Even in the case mentioned, 129.commandprompt.com does resolve back to the appropriate IP, so the re-check would succeed (but you'd have to put 129.commandprompt.com into pg_hba, or change it to 'www129' and put 'www*' in) #5: It's what Kerberos does (used on >18,000 hosts at A*cough*OL). :) > > While a wildcard does make sense (ie: www*.postgresql.org), I would > > generally expect 'commandprompt.com' to mean '*.commandprompt.com' > > implicitly. > > Hmm interesting. I wouldn't expect that. I might > expect .commandprompt.com to mean *.commandprompt.com. But > commandprompt.com I would expect only whatever the A record returns as > commandprompt.com. > > One thing I don't want to do is create a bunch of different style > syntaxes that are available :) Sure. Either way for this is alright with me, really. Just be sure to document it clearly whichever way you decide to go. :) Thanks, Stephen
signature.asc
Description: Digital signature