Skip site navigation (1) Skip section navigation (2)

Re: Why don't we allow DNS names in pg_hba.conf?

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: Euler Taveira de Oliveira <eulerto(at)yahoo(dot)com(dot)br>, "Jim C(dot) Nasby" <jnasby(at)pervasive(dot)com>, Andreas Pflug <pgadmin(at)pse-consulting(dot)de>, "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Why don't we allow DNS names in pg_hba.conf?
Date: 2006-01-03 17:43:03
Message-ID: 17937.1136310183@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackers
Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> One thing that bothers me slightly is that we would need to look up each 
> name (at least until we found a match) for each connection. If you had 
> lots of names in your pg_hba.conf that could be quite a hit.

A possible answer to that is to *not* look up the names from
pg_hba.conf, but instead restrict the feature to matching the
reverse-DNS name of the client.  This limits the cost to one lookup per
connection instead of N (and it'd be essentially free if you have
log_hostnames turned on, since we already do that lookup in that case).

I'm not sure about the relative usefulness of this compared to the
forward-lookup case, nor whether it's riskier or less risky from a
spoofing point of view.  But something to consider.

			regards, tom lane

In response to

Responses

pgsql-hackers by date

Next:From: Larry RosenmanDate: 2006-01-03 18:08:46
Subject: Re: Why don't we allow DNS names in pg_hba.conf?
Previous:From: Tom LaneDate: 2006-01-03 17:37:32
Subject: Re: [Bizgres-general] WAL bypass for INSERT, UPDATE and

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group