On Fri, Jun 13, 2008 at 4:30 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
>> The reason it wasn't done years ago was that there was disagreement on
>> the way it should work. And the TODO actually lists several alternatives:
> IIRC, the major reason there was disagreement was the prospect of
> unacceptable performance from any of the easy or obvious
> implementations. As Andrew S notes, you can't just do the lookups
> once at postmaster start; but resolving a pile of hostnames during
> each connection is pretty unpleasant, especially if the DNS server
> isn't local. (And then there are the effective-DOS implications if
> the DNS server is down altogether.)
Yes, if DNS server is down during a init connection, or server
startup, we can have problems.
> The attraction of the reverse-lookup approach is that you do only
> one lookup, on the actual connection IP, rather than having to
> resolve every hostname in the file to see if it matches.
SSH uses an approach like that.
> However that way had disadvantages of its own, which I don't recall at the
> moment. I think at least some of the issues had to do with security,
> ie how much can you trust an answer from a remote DNS server.
> Check the archives before you start implementing ...
I'm seeing alternatives and studing the code and the email replies,
but not start coding yet.
Dickson S. Guedes
Projeto Colmeia - Curitiba - PR
(41) 3254-7130 ramal: 27
In response to
pgsql-hackers by date
|Next:||From: Simon Riggs||Date: 2008-06-13 20:06:50|
|Subject: Re: Change lock requirements for adding a trigger|
|Previous:||From: Simon Riggs||Date: 2008-06-13 19:51:19|
|Subject: Re: TODO Item: Allow pg_hba.conf to specify host namesalong with IP addresses|