* Joshua D. Drake ([EMAIL PROTECTED]) wrote:
> On Wed, 2006-12-27 at 16:41 -0500, Stephen Frost wrote:
> > I'm inclined towards doing the reverse-DNS of the connecting IP and then
> > checking that the forward of that matches.
> Hmm what if it doesn't? Which is the case any many scenario. My thoughts
> are:

If it doesn't then it's not allowed, of course. :)

> If www.commandprompt.com is allowed, then the ip address
> is allowed to connect. 
> If we go the reverse way: 
>    name = 129.commandprompt.com.
> Which really isn't that useful imo.

While I agree that the way your reverse DNS has been done isn't very
useful, I don't feel that such a setup should be encouraged or
accomedated by an authorization system.  There's a couple of reasons
to go with reverse DNS:

#1: www.commandprompt.com could legitimately map to multiple IP

#2: You may not be able to see all the addresses it maps to at a given
time without a bunch of work (potentially requiring multiple look-ups)

#3: There's pretty much no circumstance which makes sense for an IP
address to reverse to multiple host names

#4: Even in the case mentioned, 129.commandprompt.com does resolve back
to the appropriate IP, so the re-check would succeed (but you'd have to
put 129.commandprompt.com into pg_hba, or change it to 'www129' and put
'www*' in)

#5: It's what Kerberos does (used on >18,000 hosts at A*cough*OL). :)

> > While a wildcard does make sense (ie: www*.postgresql.org), I would
> > generally expect 'commandprompt.com' to mean '*.commandprompt.com'
> > implicitly.
> Hmm interesting. I wouldn't expect that. I might
> expect .commandprompt.com to mean *.commandprompt.com. But
> commandprompt.com I would expect only whatever the A record returns as
> commandprompt.com.
> One thing I don't want to do is create a bunch of different style
> syntaxes that are available :)

Sure.  Either way for this is alright with me, really.  Just be sure to
document it clearly whichever way you decide to go. :)



Attachment: signature.asc
Description: Digital signature

Reply via email to