| From: | Kurt Roeckx <Q(at)ping(dot)be> |
|---|---|
| To: | Matthew Kirkwood <matthew(at)hairy(dot)beasts(dot)org> |
| Cc: | Larry Rosenman <ler(at)lerctr(dot)org>, Andrew Sullivan <andrew(at)libertyrms(dot)info>, PostgreSQL Hackers Mailing List <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: CIDR in pg_hba.conf |
| Date: | 2003-05-08 22:59:58 |
| Message-ID: | 20030508225958.GA22657@ping.be |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, May 08, 2003 at 11:01:16PM +0100, Matthew Kirkwood wrote:
> On Thu, 8 May 2003, Larry Rosenman wrote:
>
> > >> a paranoid lookup: name->ip->name and make sure it's sane.
> > >> (My abuse/security/paranoid hat).
> > >
> > > If you're being paranoid, why use hostnames at all?
> >
> > My point. But, if we are going to allow hostnames, we ought to make
> > sure the userbase (and us) understand the holes.
>
> But _there are none_ if you only do forward lookups.
There are. You can even make an authoritative nameserver return
a wrong answer.
It can only make sense if you only look it up once on start up
(or rehash), but then what is the point of it? And even that is
questionable.
You should NEVER do authentication based on a hostname. You
can't even always rely on an IP address (or MAC address).
Kurt
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruno Wolff III | 2003-05-09 01:06:31 | Re: CIDR in pg_hba.conf |
| Previous Message | Matthew Kirkwood | 2003-05-08 22:01:16 | Re: CIDR in pg_hba.conf |