[Chilli] uamdomain / uamallowed

David Bird david at coova.com
Wed Nov 10 16:03:34 UTC 2010


Well, here is where the change would be... that "google.com" would NOT
mean "*google.com" (and "*.google.com isn't the same since it excludes
"google.com" itself). 

Thinking that the best approach might be to basically keep it the way it
is, that a uamdomain is always "*domain". The addition will be that
hostnames in uamallowed could also be checked in DNS responses to pick
up new/round-robin IPs. Why not just re-check the uamallowed at an
interval? We do already, but that still would not pick up more dynamic
DNS responses (again, round-robin IPs, etc). If "*domain" isn't wanted,
then use uamallowed with the hostname. ? We could also add a '!' prefix
to dis-authorize hostnames that are otherwise in the uamdomain. 


On Wed, 2010-11-10 at 16:18 +0200, Henk Kleynhans wrote:
> I fall into the "most would consider camp" here... For example, if I
> give access to google.com, I expect there to be access to
> maps.google.com, mail.google.com, translate.google.com etc without
> explicitly setting a wildcard.
> 
> 
> If I wanted to provide access to only a few subdomains, I would
> specify each of them explicitly. 
> 
> 
> Henk
> 
> 
> 
> 
> On Wed, Nov 10, 2010 at 12:05 PM, David Bird <david at coova.com> wrote:
>         By "single domain" you then mean an implicit "*.domain" match?
>         I suppose
>         that is just nomenclature, but I think most would consider a
>         "domain" a
>         group of hostnames, not just one (even if that "hostname" is
>         "coova.org"). Hmm.. maybe we do explicitly require *-wildcard
>         matching,
>         but automatically add the "*" prefix if the uamdomain starts
>         with a
>         '.' (for those who already use ".coova.org", for example, in
>         their
>         configurations).
>         
>         
>         On Wed, 2010-11-10 at 09:46 +0100, Wichert Akkerman wrote:
>         > On 11/10/10 06:51 , David Bird wrote:
>         > > In an effort to make uamdomain a bit more flexible, a
>         change is
>         > > required. Right now, DNS queries ending in any uamdomain
>         defined are
>         > > added to the garden when resolved. This means it's always
>         "*uamdomain"
>         > > in the match. Instead, maybe the "*" should have to be
>         explicitly, as in
>         > > "uamdomain=*.domain.com" so that you can also do single
>         hostnames such
>         > > as "uamdomain=singlehost.domain.com". ?
>         >
>         > I had always expected uamdomain to specify a single domain,
>         not a
>         > wildcard. I feel pretty strongly wildcards should be
>         explicitly
>         > specified since they can be a security risk.
>         >
>         > > Or, uamdomain could be kept as-is (and via an option)
>         hostnames in
>         > > uamallowed can be "re-checked" against DNS to pick up any
>         round-robin
>         > > (or just new) IP addresses to add to garden ?  This way,
>         the syntax for
>         > > uamdomain does not need to change and hostnames used in
>         uamallowed will
>         > > update the walled garden when those hostnames are resolved
>         by users (and
>         > > not just resolved on start-up).
>         >
>         > Perhaps cache entries for a configurable amount of time?
>         >
>         > Wichert.
>         > _______________________________________________
>         > Chilli mailing list
>         > Chilli at coova.org
>         > http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>         
>         
>         _______________________________________________
>         Chilli mailing list
>         Chilli at coova.org
>         http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>         
> 
> 
> 
> -- 
> Henk Kleynhans
> CEO & Founder
> Skyrove (Pty) Ltd
> Technology Top 100 - Most Promising Emerging Enterprise
> Tel: 0861 768 377
> Cell: +27 (84) 3073451
> Fax: +27 (86) 6204077
> henk at skyrove.com
>  blog: www.geekrebel.com 
> 
> ------
> 
> "A person with ubuntu is open and available to others, affirming of
> others, does not feel threatened that others are able and good, for he
> or she has a proper self-assurance that comes from knowing that he or
> she belongs in a greater whole and is diminished when others are
> humiliated or diminished, when others are tortured or oppressed." -
> Desmond Tutu
> 
> 
> 




More information about the Chilli mailing list