Re: Why don't we allow DNS names in pg_hba.conf?

On Tue, 3 Jan 2006, Tino Wildenhain wrote:

>>> One thing that bothers me slightly is that we would need to look up each
>>> name (at least until we found a match) for each connection. If you had
>>> lots of names in your pg_hba.conf that could be quite a hit.
>>
>> A possible answer to that is to *not* look up the names from
>> pg_hba.conf, but instead restrict the feature to matching the
>> reverse-DNS name of the client. This limits the cost to one lookup per
>> connection instead of N (and it'd be essentially free if you have
>> log_hostnames turned on, since we already do that lookup in that case).
>
> Or alternatively (documented) scan and translate the names
> only on restart or sighup. This would limit the overhead
> and changes to the confile-scanner only and would
> at least enable symbolic names in the config files.
> (Of course w/o any wildcards - that would be the drawback)

That's what I suggested yesterday, but others didn't like it and the
possibility of using /etc/hosts or a name server on the local network to
mitigate speed concerns makes me think they're right.

Jon

--
Jon Jensen
End Point Corporation
http://www.endpoint.com/