Skip site navigation (1) Skip section navigation (2)

Re: Why don't we allow DNS names in pg_hba.conf?

From: "Larry Rosenman" <lrosenman(at)pervasive(dot)com>
To: "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>,"Andrew Dunstan" <andrew(at)dunslane(dot)net>
Cc: "Euler Taveira de Oliveira" <eulerto(at)yahoo(dot)com(dot)br>,"Jim Nasby" <jnasby(at)pervasive(dot)com>,"Andreas Pflug" <pgadmin(at)pse-consulting(dot)de>,"Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>,<pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Why don't we allow DNS names in pg_hba.conf?
Date: 2006-01-03 18:08:46
Message-ID: D1D2D51E3BE3FC4E98598248901F75940126988C@ausmail2k4.aus.pervasive.com (view raw or flat)
Thread:
Lists: pgsql-hackers
The issue is folks that DON'T set reverse DNS, I.E. have generic rDNS
set on their IP's.

I've seen (in my ISP days, and on my mailserver) LOTS of folks that
can't/won't update
Their rDNS, even though it's a STATICLY assigned address. 

And, as an example, my house IP changes when the PPPoE moves, and I have
a DynDns.org
Hostname that changes to support that, as well as a CNAME out of my
domain to 
Point to it. 

Just more things to think about.


-- 
Larry Rosenman		
Database Support Engineer

PERVASIVE SOFTWARE. INC.
12365B RIATA TRACE PKWY
3015
AUSTIN TX  78727-6531 

Tel: 512.231.6173
Fax: 512.459.1309
Email: Larry(dot)Rosenman(at)pervasive(dot)com
Web: www.pervasive.com 
-----Original Message-----
From: pgsql-hackers-owner(at)postgresql(dot)org
[mailto:pgsql-hackers-owner(at)postgresql(dot)org] On Behalf Of Tom Lane
Sent: Tuesday, January 03, 2006 11:43 AM
To: Andrew Dunstan
Cc: Euler Taveira de Oliveira; Jim C. Nasby; Andreas Pflug; Marc G.
Fournier; pgsql-hackers(at)postgresql(dot)org
Subject: Re: [HACKERS] Why don't we allow DNS names in pg_hba.conf? 

Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> One thing that bothers me slightly is that we would need to look up
each 
> name (at least until we found a match) for each connection. If you had

> lots of names in your pg_hba.conf that could be quite a hit.

A possible answer to that is to *not* look up the names from
pg_hba.conf, but instead restrict the feature to matching the
reverse-DNS name of the client.  This limits the cost to one lookup per
connection instead of N (and it'd be essentially free if you have
log_hostnames turned on, since we already do that lookup in that case).

I'm not sure about the relative usefulness of this compared to the
forward-lookup case, nor whether it's riskier or less risky from a
spoofing point of view.  But something to consider.

			regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
       choose an index scan if your joining column's datatypes do not
       match


Responses

pgsql-hackers by date

Next:From: markDate: 2006-01-03 18:15:45
Subject: Re: Why don't we allow DNS names in pg_hba.conf?
Previous:From: Tom LaneDate: 2006-01-03 17:43:03
Subject: Re: Why don't we allow DNS names in pg_hba.conf?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group