Re: CIDR in pg_hba.conf

On Thu, May 08, 2003 at 11:01:16PM +0100, Matthew Kirkwood wrote:
> On Thu, 8 May 2003, Larry Rosenman wrote:
> 
> > >> a paranoid lookup:  name->ip->name and make sure it's sane.
> > >> (My abuse/security/paranoid hat).
> > >
> > > If you're being paranoid, why use hostnames at all?
> >
> > My point.  But, if we are going to allow hostnames, we ought to make
> > sure the userbase (and us) understand the holes.
> 
> But _there are none_ if you only do forward lookups.

There are.  You can even make an authoritative nameserver return
a wrong answer.

It can only make sense if you only look it up once on start up
(or rehash), but then what is the point of it?  And even that is
questionable.

You should NEVER do authentication based on a hostname.  You
can't even always rely on an IP address (or MAC address).


Kurt