Skip site navigation (1) Skip section navigation (2)

Re: Why don't we allow DNS names in pg_hba.conf?

From: "Jim C(dot) Nasby" <jnasby(at)pervasive(dot)com>
To: Andreas Pflug <pgadmin(at)pse-consulting(dot)de>
Cc: "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>,Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgreSQL(dot)org
Subject: Re: Why don't we allow DNS names in pg_hba.conf?
Date: 2006-01-03 16:18:12
Message-ID: 20060103161812.GF82560@pervasive.com (view raw or flat)
Thread:
Lists: pgsql-hackers
On Sun, Jan 01, 2006 at 09:03:00PM +0100, Andreas Pflug wrote:
> Marc G. Fournier wrote:
> 
> >On Sun, 1 Jan 2006, Tom Lane wrote:
> >
> >>I was reminded of $subject by
> >>http://archives.postgresql.org/pgsql-admin/2006-01/msg00002.php
> >>
> >>While I haven't tried it, I suspect that allowing a DNS host name
> >>would take little work (basically removing the AI_NUMERICHOST flag
> >>passed to getaddrinfo in hba.c).  There was once a good reason not
> >>to allow it: slow DNS lookups would lock up the postmaster.  But
> >>now that we do this work in an already-forked backend, with an overall
> >>timeout that would catch any indefinite blockage, I don't see a good
> >>reason why we shouldn't let people use DNS names.
> >>
> >>Thoughts?
> >
> >
> >Security?
> 
> 
> I'd bet most pg_hba.conf entries will be (private) networks, not hosts. 
> Since private networks defined in DNS are probably quite rare, only few 
> people could benefit.
> 
> Those who *do* define specific host entries, are probably quite security 
> aware. They might find DNS safe for their purposes, but they'd probably 
> like a function that shows the resulting hba entries after DNS resolution.

I don't know if the normal DNS libraries allow this, but it would be
cool if you could specify that an entry in pg_hba.conf could be looked
up from /etc/hosts, but not from generic DNS. AFAIK that would eliminate
the possibility of spoofing.
-- 
Jim C. Nasby, Sr. Engineering Consultant      jnasby(at)pervasive(dot)com
Pervasive Software      http://pervasive.com    work: 512-231-6117
vcard: http://jim.nasby.net/pervasive.vcf       cell: 512-569-9461

In response to

Responses

pgsql-hackers by date

Next:From: Stephen FrostDate: 2006-01-03 16:21:37
Subject: Re: [Bizgres-general] WAL bypass for INSERT, UPDATE and
Previous:From: Jim C. NasbyDate: 2006-01-03 16:07:12
Subject: Re: Permissions vs SERIAL columns

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group