The issue is folks that DON'T set reverse DNS, I.E. have generic rDNS
set on their IP's.
I've seen (in my ISP days, and on my mailserver) LOTS of folks that
Their rDNS, even though it's a STATICLY assigned address.
And, as an example, my house IP changes when the PPPoE moves, and I have
Hostname that changes to support that, as well as a CNAME out of my
Point to it.
Just more things to think about.
Database Support Engineer
PERVASIVE SOFTWARE. INC.
12365B RIATA TRACE PKWY
AUSTIN TX 78727-6531
[mailto:pgsql-hackers-owner(at)postgresql(dot)org] On Behalf Of Tom Lane
Sent: Tuesday, January 03, 2006 11:43 AM
To: Andrew Dunstan
Cc: Euler Taveira de Oliveira; Jim C. Nasby; Andreas Pflug; Marc G.
Subject: Re: [HACKERS] Why don't we allow DNS names in pg_hba.conf?
Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> One thing that bothers me slightly is that we would need to look up
> name (at least until we found a match) for each connection. If you had
> lots of names in your pg_hba.conf that could be quite a hit.
A possible answer to that is to *not* look up the names from
pg_hba.conf, but instead restrict the feature to matching the
reverse-DNS name of the client. This limits the cost to one lookup per
connection instead of N (and it'd be essentially free if you have
log_hostnames turned on, since we already do that lookup in that case).
I'm not sure about the relative usefulness of this compared to the
forward-lookup case, nor whether it's riskier or less risky from a
spoofing point of view. But something to consider.
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
choose an index scan if your joining column's datatypes do not
pgsql-hackers by date
|Next:||From: mark||Date: 2006-01-03 18:15:45|
|Subject: Re: Why don't we allow DNS names in pg_hba.conf?|
|Previous:||From: Tom Lane||Date: 2006-01-03 17:43:03|
|Subject: Re: Why don't we allow DNS names in pg_hba.conf? |