| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Cc: | Bruce Momjian <bruce(at)momjian(dot)us>, "Dickson S(dot) Guedes" <guediz(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: TODO Item: Allow pg_hba.conf to specify host names along with IP addresses |
| Date: | 2008-06-13 19:30:03 |
| Message-ID: | 14475.1213385403@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> The reason it wasn't done years ago was that there was disagreement on
> the way it should work. And the TODO actually lists several alternatives:
IIRC, the major reason there was disagreement was the prospect of
unacceptable performance from any of the easy or obvious
implementations. As Andrew S notes, you can't just do the lookups
once at postmaster start; but resolving a pile of hostnames during
each connection is pretty unpleasant, especially if the DNS server
isn't local. (And then there are the effective-DOS implications if
the DNS server is down altogether.)
The attraction of the reverse-lookup approach is that you do only
one lookup, on the actual connection IP, rather than having to
resolve every hostname in the file to see if it matches. However
that way had disadvantages of its own, which I don't recall at the
moment. I think at least some of the issues had to do with security,
ie how much can you trust an answer from a remote DNS server.
Check the archives before you start implementing ...
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2008-06-13 19:47:47 | Re: pg_stat_statements |
| Previous Message | Andrew Sullivan | 2008-06-13 17:26:01 | Re: TODO Item: Allow pg_hba.conf to specify host names along with IP addresses |