> On Tue, Jan 03, 2006 at 12:43:03PM -0500, Tom Lane wrote:
>> I'm not sure about the relative usefulness of this compared to the
>> forward-lookup case, nor whether it's riskier or less risky from a
>> spoofing point of view. But something to consider.
> I think it's riskier. I have my own PTR records, that I can make be
> whatever I wish without any authority verifying that my actions are
Yeah, that occurred to me after a few moments' thought. We could do one
extra forward lookup to confirm that the reverse-lookup name maps back
to the IP address.
> It's not a big deal.
Depends on how many names you want to put into pg_hba.conf. I don't
offhand see a use-case for very many, but maybe there is one. Even
if there are a lot, they'd not be expensive to look up if there is
a local nameserver that is authoritative for those names ... which
I'd think would be the normal case. The more "outside" names you've
got in pg_hba.conf, the more open you are to spoofing.
regards, tom lane
In response to
pgsql-hackers by date
|Next:||From: Stephen Frost||Date: 2006-01-03 18:30:56|
|Subject: Re: [Bizgres-general] WAL bypass for INSERT, UPDATE and|
|Previous:||From: Tino Wildenhain||Date: 2006-01-03 18:21:33|
|Subject: Re: Why don't we allow DNS names in pg_hba.conf?|