On 1106156684 seconds since the Beginning of the UNIX epoch Donn Cave wrote: >
> Fredrik Tolf <[EMAIL PROTECTED]> wrote: >> I'm sorry if I'm wrong, but doesn't getaddrinfo get ai_canonname by >> doing a reverse lookup? When I tried it out, at least that is what >> happened. That's unfortunate. >It depends on the platform. The GNU getaddrinfo implementation >does. I'm assuming AI_CANONNAME in ai_flags. > >NetBSD 2.0, AIX 5.2 don't, they stop at what you'd get from >gethostbyname() -- they look up CNAME aliases but don't >look up the IP PTR. > >Also might be worth mentioning that the MIT implementation >also uses this in several places, though in the critical >sname_to_principal() function it uses getnameinfo for the >lookup. > >Secure DNS would be nice for all this. IMO, using IP PTRs is the wrong way to do this. Even with Secure DNS, you are less likely to trust the IP PTR RRs because they are frequently controlled by a different organisation. E.g. my laptop at random locations: I can use Dynamic DNS to update the forward lookups properly, but I do not control the IP PTR RRs. Even if I have a secure way of querying the PTR RRs, they are not under my control and therefore I should not trust them. Or if I have a machine co-located, the PTR RRs are under the control of the ISP not me. PTR RRs should not be used (IMO, again) for any security sensitive reason---even with secure DNS. -- Roland Dowdeswell http://www.Imrryr.ORG/~elric/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos