* Joshua D. Drake ([EMAIL PROTECTED]) wrote: > On Wed, 2006-12-27 at 16:41 -0500, Stephen Frost wrote: > > I'm inclined towards doing the reverse-DNS of the connecting IP and then > > checking that the forward of that matches. > > Hmm what if it doesn't? Which is the case any many scenario. My thoughts > are:
If it doesn't then it's not allowed, of course. :)
> If www.commandprompt.com is allowed, then the ip address 207.173.200.129
> is allowed to connect.
>
> If we go the reverse way:
>
> 129.200.173.207.in-addr.arpa name = 129.commandprompt.com.
>
> Which really isn't that useful imo.
While I agree that the way your reverse DNS has been done isn't very
useful, I don't feel that such a setup should be encouraged or
accomedated by an authorization system. There's a couple of reasons
to go with reverse DNS:
#1: www.commandprompt.com could legitimately map to multiple IP
addresses
#2: You may not be able to see all the addresses it maps to at a given
time without a bunch of work (potentially requiring multiple look-ups)
#3: There's pretty much no circumstance which makes sense for an IP
address to reverse to multiple host names
#4: Even in the case mentioned, 129.commandprompt.com does resolve back
to the appropriate IP, so the re-check would succeed (but you'd have to
put 129.commandprompt.com into pg_hba, or change it to 'www129' and put
'www*' in)
#5: It's what Kerberos does (used on >18,000 hosts at A*cough*OL). :)
> > While a wildcard does make sense (ie: www*.postgresql.org), I would
> > generally expect 'commandprompt.com' to mean '*.commandprompt.com'
> > implicitly.
>
> Hmm interesting. I wouldn't expect that. I might
> expect .commandprompt.com to mean *.commandprompt.com. But
> commandprompt.com I would expect only whatever the A record returns as
> commandprompt.com.
>
> One thing I don't want to do is create a bunch of different style
> syntaxes that are available :)
Sure. Either way for this is alright with me, really. Just be sure to
document it clearly whichever way you decide to go. :)
Thanks,
Stephen
signature.asc
Description: Digital signature
