Hi Fabien, On Wed, Mar 23, 2016 at 6:12 PM, <fab...@apache.org> wrote: > > How about adding something like: > > From a security perspective, getting access to a protected page is somehow > easier with "forward-dns" because the attacker needs only to control the DNS > for the domain, while they would also need to control the reverse DNS with > "host". Now, if you have important confidential data, they would not be > only protected by host-based authorizations, would they?
I guess this question is for me, not the doc :) Right, host-based is not the state of the art of authorizations, that could also be documented for both "forward-dns" and "host"... maybe without asking for an agreement from the reader? ;) But reverse DNS is actually also easier to control than forward anyway, so in both cases it really boils down to controlling the configured host's domain (or the DNS/resolver used by the server). So, finally, mentioning that *any* ip/host-based authz should be combined with other authz/authn (SSL certificates, credentials schemes, ...) for stronger requirements may be the way to go. Or maybe simply not change the doc since all this might be quite obvious... Regards, Yann.
