[lug] Re: Virtual Hosting
rm at mamma.varadinet.de
rm at mamma.varadinet.de
Wed Mar 14 15:32:21 MST 2001
On Wed, Mar 14, 2001 at 03:25:44PM -0700, John Hernandez wrote:
> Given our hypothetical scenario (where there is not a 1-to-1 mapping of name-to-address, rather a many-to-1 mapping), you're basically forced to pick one of those names for reverse lookup purposes, aren't you? What would be the alternative?
>
> A typical client app provides an IP address to the server upon connection (in the form of an IP source address). The order of lookups (for a paranoid server) is then address -> name, and then resulting-name -> address, not the other way around as you suggested. Servers are generally happy when address(in) == address(out), as you correctly stated, but that condition is satisfied by setting your PTR RR value to any one of the set of valid A RR keys.
I was talking about the server side, not the client name/address.
Imagine a client that downloaded an java applet. Now the applet
needs to get some resource (image/database connection etc.) and
attempts to open a tcp/ip connection back to the server. The java
sandbox security manager will only allow connections back to the
server _iff_ the servers name is the same as the server from which
the applet was initially loaded. So an applet from www.big-money.com
can't connect to secure.big-money.com even if the two host have
the same IP address. It's easy to imagine that tighter security
managers will do reverse lookup on the server name as well and
reject the connection. Of course this is of no concern to most
of us, but it can generate the kind of bug that' especially hard
to hunt down. I allready got bitten by it ....
Ralf
More information about the LUG
mailing list