Re: CIDR in pg_hba.conf
От | Andrew Dunstan |
---|---|
Тема | Re: CIDR in pg_hba.conf |
Дата | |
Msg-id | 01bd01c314cc$a2bdfdb0$6401a8c0@DUNSLANE обсуждение исходный текст |
Ответ на | CIDR in pg_hba.conf ("Andrew Dunstan" <andrew@dunslane.net>) |
Ответы |
Re: CIDR in pg_hba.conf
Re: CIDR in pg_hba.conf |
Список | pgsql-hackers |
My slightly cursory look at the relevant section of hba.c suggests that the resolution would done at connect time, not at file parse time - I'm sure someone will correct me if I'm wrong. I wasn't going to do reverse lookup - do you think we should? Basically I was going to match if a forward mapping of the DNS name matched the socket address. The other issue is that doing an address lookup has the potential to add hugely to the time taken to establish connections - CNAMEs will make this worse, caching will make it better. Using reverse lookups would significantly increase this impact. Maybe we need to think a bit harder about this. Or at the very least put a prominent warning in the docs and sample files, just like Apache does in relation to the same issue for log files etc. andrew ----- Original Message ----- From: "Larry Rosenman" <ler@lerctr.org> > One thing I thought of, is when do you do the resolution of name-to-ip? > You may need > to think about spoofs and DNS issues. > > Please think about this, as cache-poisoning, and trashy reverse-DNS is a > real issue > out there. > > LER >
В списке pgsql-hackers по дате отправления: