Am 29.02.2016 um 07:16 schrieb fab...@apache.org:
Maybe the reverse dns is working on your test address?I checked it and yes it does work that way. I never knew it did.Indeed. This feature makes sense because it allows to allow a full domain, say "apache.org", any host of which the inverse dns resolves to the domain can then be allowed. But this also means that if the reverse dns is not controlled, say with the dynamic dns and a moving ip, ip control does not work, hence my proposal for a lesser version which just checks that a client ip is allowed just by resolving a name.
that is unsafeit takes me exactly 5 seconds to add a PTR "myserver.apache.org" to one of our public ip-addresses if i would like to and nobody can do anything against it except check if the A record matchs because that can only be controlled by the domain owner
the same for anybody else who has a /24 or bigger network and the reverse dns delegated to his own namservers - i would not do such things, others would and so it's nothing to hand authentication on it
signature.asc
Description: OpenPGP digital signature
