Re: CIDR in pg_hba.conf

On Fri, May 09, 2003 at 00:59:58 +0200,
Kurt Roeckx <Q(at)ping(dot)be> wrote:
>
> There are. You can even make an authoritative nameserver return
> a wrong answer.

This is incorrect. You might be able to DNS spoofing to fake a response,
but in that case a reverse lookup isn't going to help. Because in
theory the person in control of what a domain name means is also (indirectly)
in control of the DNS records for that name it is reasonable to trust
DNS for forward resolution of domain names.

Reverse lookups are different. In theory whoever is in control of the
IP address for which a PTR record is being looked up controls what
is returned. Since this isn't necessarily whoever controls the
domain returned, you need to do a forward lookup to check and make
sure the IP address is listed.

> It can only make sense if you only look it up once on start up
> (or rehash), but then what is the point of it? And even that is
> questionable.

Efficiency. If there are a number of domain name entries you may only
want to check them when reading hba.conf. This does break some useful
things about using domain names in hba.conf.

> You should NEVER do authentication based on a hostname. You
> can't even always rely on an IP address (or MAC address).

NEVER is too strong. Certainly there is additional risk in doing this,
but depending on the benefits of doing this it may be a useful tradeoff.