Re: Perl Sasl GSSAPI and

[Simon Wilkinson]

On 13 Apr 2009, at 17:23, Dale Moore wrote:
> I recommend that if we are going to use Net::LDAP get the peerhost,
> and use it as part of the service name, that we modify Net::LDAP to
> do the reverse DNS and not expect GSSAPI to do it. Or we change our
> approach in dealing with hosts with round-robin ip addresses.

The reason why both MIT and Heimdal are moving away from doing reverse
lookups is that it introduces a security dependency on the DNS. Given
that (in general) the DNS is not secure, moving the lookup elsewhere
is a retrograde step. Net::LDAP should simply pass the server name
that it has been asked to connect to through to the GSSAPI library.
The correct place to handling name resolution issues is on the server,
or (once referral support is in place) on the KDC.

S.