| From: | Hans Spaans <pgsql-admin(at)lists(dot)hansspaans(dot)nl> |
|---|---|
| To: | pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: Pg_hba and dynamic dns |
| Date: | 2003-05-09 00:23:40 |
| Message-ID: | 20030509002340.GA17686@sch01r01.nexit.nl |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
On Thu, May 08, 2003 at 06:40:14PM -0400, Randall Perry wrote:
> I've discovered I can use URLs for an IP address in pg_hba.conf, and
> everything works ok if the host can be resolved.
>
> If it can't be resolved I get the error:
> psql: FATAL: Missing or erroneous pg_hba.conf file, see postmaster log for
> details
>
> And then all tcp/ip is denied.
>
> That sucks -- means I can't use dynamic DNS. Anyone else think tcp/ip access
> shouldn't break if a URL can't be resolved?
IMHO support for fqdn should be removed.
1. FQDN's are mostly resolved when the configuration is being loaded.
So that data isn't going to change when the program is running or
would you like to do a dns query for every connection you get?
2. How are you going to handle forward and reversed dns? Think about
multiple A-records, fake or no reversed DNS, etc.
3. If fqdn is being checked when the db gets a connection people can
break in when you only check reversed dns.
4. Who is going to ensure me that dns isn't compromised somewhere down
the line?
This are just a few things, but I'm wondering.
--
Hans
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruno Wolff III | 2003-05-09 00:49:47 | Re: Postgresql goes down need to restart (redhat postgresql service script) lock files removal avoid 2 postmasters |
| Previous Message | Tom Lane | 2003-05-08 22:41:42 | Re: SET STATISTICS value recorded where? |