This feature makes sense because it allows to allow a full domain, say
"apache.org", any host of which the inverse dns resolves to the domain
can then be allowed.
But this also means that if the reverse dns is not controlled, say with
the dynamic dns and a moving ip, ip control does not work, hence my
proposal for a lesser version which just checks that a client ip is
allowed just by resolving a name.
that is unsafe
it takes me exactly 5 seconds to add a PTR "myserver.apache.org" to one of
our public ip-addresses if i would like to and nobody can do anything against
it except check if the A record matchs because that can only be controlled by
the domain owner
Indeed, but then "host" also checks that forward resolution works, that is
"myserver.apache.org" must *also* point back to the same IP.
the same for anybody else who has a /24 or bigger network and the reverse dns
delegated to his own namservers - i would not do such things, others would
and so it's nothing to hand authentication on it
Sure, the second forward checks that all is well.
The feature I'm proposing is not related to that. I'm suggesting to have a
way to specify host names *only* which are checked forward *only*.
Require xxx foo.apache.org
# allows ip of "foo.apache.org", just be resolving the name
For use with dyndns services.
--
Fabien.
