On Tue, Jan 03, 2006 at 12:43:03PM -0500, Tom Lane wrote:
> Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> > One thing that bothers me slightly is that we would need to look up each
> > name (at least until we found a match) for each connection. If you had
> > lots of names in your pg_hba.conf that could be quite a hit.
> A possible answer to that is to *not* look up the names from
> pg_hba.conf, but instead restrict the feature to matching the
> reverse-DNS name of the client. This limits the cost to one lookup per
> connection instead of N (and it'd be essentially free if you have
> log_hostnames turned on, since we already do that lookup in that case).
> I'm not sure about the relative usefulness of this compared to the
> forward-lookup case, nor whether it's riskier or less risky from a
> spoofing point of view. But something to consider.
I think it's riskier. I have my own PTR records, that I can make be
whatever I wish without any authority verifying that my actions are
proper. Although, most people don't, this is because most people don't
ask for them, or don't know how or where to ask for them. The security
benefit is in the address, not in the name. The convenience is in the
name, and not the address.
I'm not seeing why forward lookups are bad. There are several options
available to controlling this, including configuring /etc/hosts to be
searched first, before DNS, using nsswitch.conf. Another option, is
to use your own DNS server, with its own zone records, such that
/etc/resolv.conf uses 127.1, which will serve my own records, before
doing a recursive lookup over the network.
It's not a big deal. I'd recommend keeping documentation, and inlined
comment warnings all over the place - but if people want to use names,
I'm not seeing the problem. They can already hang themselves, by granting
full access to the Internet, by network mask? :-)
mark(at)mielke(dot)cc / markm(at)ncf(dot)ca / markm(at)nortel(dot)com __________________________
. . _ ._ . . .__ . . ._. .__ . . . .__ | Neighbourhood Coder
|\/| |_| |_| |/ |_ |\/| | |_ | |/ |_ |
| | | | | \ | \ |__ . | | .|. |__ |__ | \ |__ | Ottawa, Ontario, Canada
One ring to rule them all, one ring to find them, one ring to bring them all
and in the darkness bind them...
In response to
pgsql-hackers by date
|Next:||From: Tino Wildenhain||Date: 2006-01-03 18:21:33|
|Subject: Re: Why don't we allow DNS names in pg_hba.conf?|
|Previous:||From: Larry Rosenman||Date: 2006-01-03 18:08:46|
|Subject: Re: Why don't we allow DNS names in pg_hba.conf? |