| From: | Nico Williams <nico(at)cryptonector(dot)com> |
|---|---|
| To: | Garick Hamlin <ghamlin(at)isc(dot)upenn(dot)edu> |
| Cc: | Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL Developers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: libpq should not look up all host addresses at once |
| Date: | 2018-08-14 20:18:03 |
| Message-ID: | 20180814201802.GE30604@localhost |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Aug 14, 2018 at 03:18:32PM -0400, Garick Hamlin wrote:
> On Tue, Aug 14, 2018 at 12:24:32PM +0200, Fabien COELHO wrote:
> > I read the rational of the host/hostaddr artificial mapping. I cannot say
> > I'm thrilled with the result: I do not really see a setting where avoiding a
> > DNS query is required but which still needs a hostname for auth... If you
> > have GSSAPI or SSPI then you have an underlying network, in which a dns
> > query should be fine.
>
> FWIW, I think this is useful even it will be uncommon to use. I run
> some HA services here and I find I use this kind of functionality all
> the time to test if a standby node functioning properly. openssh
> GSSAPIServerIdentity does this. curl does this via '--resolve'. In
> both cases one can check the name authenticates properly via TLS or
> GSSAPI while connecting to an IP that is not production.
+1
curl's --resolve is a fantastic diagnostic tool. I wish it also allowed
changing the destination port as well.
While I'm at it, I strongly prefer using postgresql: URIs to any other
way to specify connect info, and I think PG should do more to encourage
their use -- perhaps even deprecating the alternatives.
Nico
--
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2018-08-14 20:23:33 | Re: Facility for detecting insecure object naming |
| Previous Message | Peter Eisentraut | 2018-08-14 20:02:00 | Re: Pre-v11 appearances of the word "procedure" in v11 docs |