Skip site navigation (1) Skip section navigation (2)

Re: Why don't we allow DNS names in pg_hba.conf?

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: Euler Taveira de Oliveira <eulerto(at)yahoo(dot)com(dot)br>
Cc: "Jim C(dot) Nasby" <jnasby(at)pervasive(dot)com>, Andreas Pflug <pgadmin(at)pse-consulting(dot)de>, "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Why don't we allow DNS names in pg_hba.conf?
Date: 2006-01-03 17:34:59
Message-ID: 43BAB5C3.4060906@dunslane.net (view raw or flat)
Thread:
Lists: pgsql-hackers

Euler Taveira de Oliveira wrote:

>--- "Jim C. Nasby" <jnasby(at)pervasive(dot)com> escreveu:
>
>  
>
>>I don't know if the normal DNS libraries allow this, but it would be
>>cool if you could specify that an entry in pg_hba.conf could be
>>looked
>>up from /etc/hosts, but not from generic DNS. AFAIK that would
>>eliminate
>>the possibility of spoofing.
>>
>>    
>>
>Take a look at 'man /etc/host.conf'.
>
>
>  
>

That won't work for per application settings. I think this is a non starter.

I have been thinking more about possible real world use cases for this 
facility. I suspect they will be comparatively rare. In cases where you 
don't trust DNS you shouldn't use it, and in cases where you do you 
probably know the address(es) anyway. If the change is simple it's worth 
doing, but it's not a huge leap. The biggest wrinkle will probably be 
handling names that map to multiple addresses.

One thing that bothers me slightly is that we would need to look up each 
name (at least until we found a match) for each connection. If you had 
lots of names in your pg_hba.conf that could be quite a hit. We need to 
test this not with one but with a couple of hundred names, maybe, to see 
what the hit is like.

cheers

andrew

In response to

Responses

pgsql-hackers by date

Next:From: Tom LaneDate: 2006-01-03 17:37:32
Subject: Re: [Bizgres-general] WAL bypass for INSERT, UPDATE and
Previous:From: Bruce MomjianDate: 2006-01-03 17:08:05
Subject: Re: [Bizgres-general] WAL bypass for INSERT, UPDATE and

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group