Skip site navigation (1) Skip section navigation (2)

Re: TODO Item: Allow pg_hba.conf to specify host names along with IP addresses

From: "Dickson S(dot) Guedes" <guediz(at)gmail(dot)com>
To: "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: "Andrew Dunstan" <andrew(at)dunslane(dot)net>, "Bruce Momjian" <bruce(at)momjian(dot)us>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: TODO Item: Allow pg_hba.conf to specify host names along with IP addresses
Date: 2008-06-13 19:54:20
Message-ID: (view raw or whole thread)
Lists: pgsql-hackers
On Fri, Jun 13, 2008 at 4:30 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
>> The reason it wasn't done years ago was that there was disagreement on
>> the way it should work. And the TODO actually lists several alternatives:
> IIRC, the major reason there was disagreement was the prospect of
> unacceptable performance from any of the easy or obvious
> implementations.  As Andrew S notes, you can't just do the lookups
> once at postmaster start; but resolving a pile of hostnames during
> each connection is pretty unpleasant, especially if the DNS server
> isn't local.  (And then there are the effective-DOS implications if
> the DNS server is down altogether.)

Yes, if DNS server is down during a init connection, or server
startup, we can have problems.

> The attraction of the reverse-lookup approach is that you do only
> one lookup, on the actual connection IP, rather than having to
> resolve every hostname in the file to see if it matches.

SSH uses an approach like that.

> However that way had disadvantages of its own, which I don't recall at the
> moment.  I think at least some of the issues had to do with security,
> ie how much can you trust an answer from a remote DNS server.
> Check the archives before you start implementing ...

I'm seeing alternatives and studing the code and the email replies,
but not start coding yet.

Thanks Tom.

Dickson S. Guedes
Projeto Colmeia - Curitiba - PR
(41) 3254-7130 ramal: 27

In response to


pgsql-hackers by date

Next:From: Simon RiggsDate: 2008-06-13 20:06:50
Subject: Re: Change lock requirements for adding a trigger
Previous:From: Simon RiggsDate: 2008-06-13 19:51:19
Subject: Re: TODO Item: Allow pg_hba.conf to specify host namesalong with IP addresses

Privacy Policy | About PostgreSQL
Copyright © 1996-2015 The PostgreSQL Global Development Group