| From: | "Larry Rosenman" <lrosenman(at)pervasive(dot)com> |
|---|---|
| To: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Andrew Dunstan" <andrew(at)dunslane(dot)net> |
| Cc: | "Euler Taveira de Oliveira" <eulerto(at)yahoo(dot)com(dot)br>, "Jim Nasby" <jnasby(at)pervasive(dot)com>, "Andreas Pflug" <pgadmin(at)pse-consulting(dot)de>, "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>, <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Why don't we allow DNS names in pg_hba.conf? |
| Date: | 2006-01-03 18:08:46 |
| Message-ID: | D1D2D51E3BE3FC4E98598248901F75940126988C@ausmail2k4.aus.pervasive.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
The issue is folks that DON'T set reverse DNS, I.E. have generic rDNS
set on their IP's.
I've seen (in my ISP days, and on my mailserver) LOTS of folks that
can't/won't update
Their rDNS, even though it's a STATICLY assigned address.
And, as an example, my house IP changes when the PPPoE moves, and I have
a DynDns.org
Hostname that changes to support that, as well as a CNAME out of my
domain to
Point to it.
Just more things to think about.
--
Larry Rosenman
Database Support Engineer
PERVASIVE SOFTWARE. INC.
12365B RIATA TRACE PKWY
3015
AUSTIN TX 78727-6531
Tel: 512.231.6173
Fax: 512.459.1309
Email: Larry(dot)Rosenman(at)pervasive(dot)com
Web: www.pervasive.com
-----Original Message-----
From: pgsql-hackers-owner(at)postgresql(dot)org
[mailto:pgsql-hackers-owner(at)postgresql(dot)org] On Behalf Of Tom Lane
Sent: Tuesday, January 03, 2006 11:43 AM
To: Andrew Dunstan
Cc: Euler Taveira de Oliveira; Jim C. Nasby; Andreas Pflug; Marc G.
Fournier; pgsql-hackers(at)postgresql(dot)org
Subject: Re: [HACKERS] Why don't we allow DNS names in pg_hba.conf?
Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> One thing that bothers me slightly is that we would need to look up
each
> name (at least until we found a match) for each connection. If you had
> lots of names in your pg_hba.conf that could be quite a hit.
A possible answer to that is to *not* look up the names from
pg_hba.conf, but instead restrict the feature to matching the
reverse-DNS name of the client. This limits the cost to one lookup per
connection instead of N (and it'd be essentially free if you have
log_hostnames turned on, since we already do that lookup in that case).
I'm not sure about the relative usefulness of this compared to the
forward-lookup case, nor whether it's riskier or less risky from a
spoofing point of view. But something to consider.
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
choose an index scan if your joining column's datatypes do not
match
| From | Date | Subject | |
|---|---|---|---|
| Next Message | mark | 2006-01-03 18:15:45 | Re: Why don't we allow DNS names in pg_hba.conf? |
| Previous Message | Tom Lane | 2006-01-03 17:43:03 | Re: Why don't we allow DNS names in pg_hba.conf? |