Skip site navigation (1) Skip section navigation (2)

Re: TODO Item: Allow pg_hba.conf to specify host names along with IP addresses

From: "Dickson S(dot) Guedes" <guediz(at)gmail(dot)com>
To: "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: "Andrew Dunstan" <andrew(at)dunslane(dot)net>, "Bruce Momjian" <bruce(at)momjian(dot)us>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: TODO Item: Allow pg_hba.conf to specify host names along with IP addresses
Date: 2008-06-13 19:54:20
Message-ID: f0b79c6f0806131254q36aff3fenb5bbeb9a3d6cf8d2@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
On Fri, Jun 13, 2008 at 4:30 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
>> The reason it wasn't done years ago was that there was disagreement on
>> the way it should work. And the TODO actually lists several alternatives:
>
> IIRC, the major reason there was disagreement was the prospect of
> unacceptable performance from any of the easy or obvious
> implementations.  As Andrew S notes, you can't just do the lookups
> once at postmaster start; but resolving a pile of hostnames during
> each connection is pretty unpleasant, especially if the DNS server
> isn't local.  (And then there are the effective-DOS implications if
> the DNS server is down altogether.)

Yes, if DNS server is down during a init connection, or server
startup, we can have problems.

> The attraction of the reverse-lookup approach is that you do only
> one lookup, on the actual connection IP, rather than having to
> resolve every hostname in the file to see if it matches.

SSH uses an approach like that.

> However that way had disadvantages of its own, which I don't recall at the
> moment.  I think at least some of the issues had to do with security,
> ie how much can you trust an answer from a remote DNS server.
> Check the archives before you start implementing ...

I'm seeing alternatives and studing the code and the email replies,
but not start coding yet.

Thanks Tom.

-- 
[]s
Dickson S. Guedes
-------------------------------------
Projeto Colmeia - Curitiba - PR
(41) 3254-7130 ramal: 27
http://makeall.wordpress.com/
http://pgcon.postgresql.org.br/
http://planeta.postgresql.org.br/

In response to

Responses

pgsql-hackers by date

Next:From: Simon RiggsDate: 2008-06-13 20:06:50
Subject: Re: Change lock requirements for adding a trigger
Previous:From: Simon RiggsDate: 2008-06-13 19:51:19
Subject: Re: TODO Item: Allow pg_hba.conf to specify host namesalong with IP addresses

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group