| From: | Garick Hamlin <ghamlin(at)isc(dot)upenn(dot)edu> |
|---|---|
| To: | Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL Developers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: libpq should not look up all host addresses at once |
| Date: | 2018-08-14 19:18:32 |
| Message-ID: | 20180814191832.GD6776@isc.upenn.edu |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Aug 14, 2018 at 12:24:32PM +0200, Fabien COELHO wrote:
>
> Hello Tom,
>
> >>As you noted in another message, a small doc update should be needed.
> >
> >Check. Proposed doc patch attached. (Only the last hunk is actually
> >specific to this patch, the rest is cleanup that I noticed while looking
> >around for possibly-relevant text.)
>
> Doc build is ok.
>
> Some comments that you may not find all useful, please accept my apology, it
> just really shows that I read your prose in some detail:-)
>
> The mention of possible reverse dns queries has been removed... but I do not
> think there was any before? There could be if only hostaddr is provided but
> a hostname is required by some auth, but it does not seem to be the case
> according to the documentation.
>
> I read the rational of the host/hostaddr artificial mapping. I cannot say
> I'm thrilled with the result: I do not really see a setting where avoiding a
> DNS query is required but which still needs a hostname for auth... If you
> have GSSAPI or SSPI then you have an underlying network, in which a dns
> query should be fine.
FWIW, I think this is useful even it will be uncommon to use. I run
some HA services here and I find I use this kind of functionality all
the time to test if a standby node functioning properly. openssh
GSSAPIServerIdentity does this. curl does this via '--resolve'. In
both cases one can check the name authenticates properly via TLS or
GSSAPI while connecting to an IP that is not production.
The IP might float via VRRP or EIP in AWS, or it might be a service
local OOB network and the frontend might be a load balancer like haproxy.
FWIW, I am not using this for PG today, but this kind of feature is
definitely nice to have for alarming and HA. It lets proper analysis
happen. This way not everyone to be called when the local DNS resolver
fails and just the DNS-people can get the 2am call.
Anyway, if it's not a big burden, I suggest you keep it, IIUC.
This kind of thing is really handy especially since today's cloudy-stuff
means one often gets all-the-nat whether one wants it or not.
Garick
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2018-08-14 19:31:04 | Re: Facility for detecting insecure object naming |
| Previous Message | Andrew Dunstan | 2018-08-14 19:10:14 | Re: [HACKERS] pgbench - allow to store select results into variables |