Re: CIDR in pg_hba.conf
| От | Andrew Dunstan |
|---|---|
| Тема | Re: CIDR in pg_hba.conf |
| Дата | |
| Msg-id | 002101c3162c$e82903c0$6401a8c0@DUNSLANE обсуждение исходный текст |
| Ответ на | Re: CIDR in pg_hba.conf (Larry Rosenman <ler@lerctr.org>) |
| Список | pgsql-hackers |
I agree with this 100%. My plan was simply at connect time to loop through the stuff returned by getaddrinfo looking for a matching address. Risks in terms of security and connect time are matters for documentation, IMNSHO. andrew ----- Original Message ----- From: "Tom Lane" <tgl@sss.pgh.pa.us> To: "Bruno Wolff III" <bruno@wolff.to> Cc: "Curt Sampson" <cjs@cynic.net>; "PostgreSQL Hackers Mailing List" <pgsql-hackers@postgresql.org> Sent: Friday, May 09, 2003 8:50 AM Subject: Re: [HACKERS] CIDR in pg_hba.conf > Bruno Wolff III <bruno@wolff.to> writes: > > .... However I don't think doing just forward > > lookups at connect time scales. > > Is it necessary that it scale? AFAICS, putting DNS names in pg_hba.conf > would be a convenience feature for low-volume databases. People who are > trying to service lots of connections would put numbers in there anyway > for performance reasons. I'd prefer to go for simplicity here, and just > do the lookups on demand. > > I think most of the objections that have been raised in this thread are > not very applicable to real-world uses. The hosts you are going to be > granting database access to are usually nearby ones, and the DNS server > you are going to be consulting is not only nearby but authoritative for > those names. So I think both the speed and security issues are being > overstated. Indeed we should mention them prominently in the docs, but > we should not overengineer the implementation. >
В списке pgsql-hackers по дате отправления: