Skip site navigation (1) Skip section navigation (2)

Re: Why don't we allow DNS names in pg_hba.conf?

From: Jon Jensen <jon(at)endpoint(dot)com>
To: Andreas Pflug <pgadmin(at)pse-consulting(dot)de>
Cc: "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>,Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgreSQL(dot)org
Subject: Re: Why don't we allow DNS names in pg_hba.conf?
Date: 2006-01-02 18:09:45
Message-ID: Pine.LNX.4.64.0601021101580.20979@ybpnyubfg.ybpnyqbznva (view raw or flat)
Thread:
Lists: pgsql-hackers
On Sun, 1 Jan 2006, Andreas Pflug wrote:

>>> While I haven't tried it, I suspect that allowing a DNS host name
>>> would take little work (basically removing the AI_NUMERICHOST flag
>>> passed to getaddrinfo in hba.c).  There was once a good reason not
>>> to allow it: slow DNS lookups would lock up the postmaster.  But
>>> now that we do this work in an already-forked backend, with an overall
>>> timeout that would catch any indefinite blockage, I don't see a good
>>> reason why we shouldn't let people use DNS names.
[snip]
>
> Routers/firewalls that allow DNS names will usually resolve them immediately, 
> and store the IP addresses.

I think it's a great idea to make DNS names an option in pg_hba.conf. 
However, I think we're talking about two fairly different features here.

(1) What Tom proposed is that we store the hostname and do a new DNS 
lookup for every connection. That could be useful in certain situations, 
but I wouldn't use it for a busy production server. The additional time 
for DNS lookups (even with a fast local caching nameserver) would not be a 
price I'd want to pay for the convenience. In a development environment, 
it could be just the ticket, though.

(2) As Andreas mentioned, firewalls commonly do the DNS lookups when they 
read their configuration, and store the IP addresses. If we did this, 
you'd presumably only have to reload the postmaster configuration to cause 
the DNS lookups to be done again, but until then they'd be static and as 
fast as using actual IP addresses.

If both were implemented, I'm not sure how you'd indicate which method you 
want on any given pg_hba.conf line.

If we were only to have one of these, I'd prefer (2). You could always set 
up a cron job to reload the postmaster config hourly or daily, to keep the 
DNS lookups from getting too stale.

Jon

-- 
Jon Jensen
End Point Corporation
http://www.endpoint.com/
Software development with Interchange, Perl, PostgreSQL, Apache, Linux, ...

In response to

Responses

pgsql-hackers by date

Next:From: Mike RylanderDate: 2006-01-02 18:23:42
Subject: Re: Why don't we allow DNS names in pg_hba.conf?
Previous:From: Tom LaneDate: 2006-01-02 17:54:42
Subject: What bison versions are installed on buildfarm machines?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group