My slightly cursory look at the relevant section of hba.c suggests that the
resolution would done at connect time, not at file parse time - I'm sure
someone will correct me if I'm wrong.
I wasn't going to do reverse lookup - do you think we should? Basically I
was going to match if a forward mapping of the DNS name matched the socket
address.
The other issue is that doing an address lookup has the potential to add
hugely to the time taken to establish connections - CNAMEs will make this
worse, caching will make it better. Using reverse lookups would
significantly increase this impact.
Maybe we need to think a bit harder about this. Or at the very least put a
prominent warning in the docs and sample files, just like Apache does in
relation to the same issue for log files etc.
andrew
----- Original Message -----
From: "Larry Rosenman" <ler@lerctr.org>
> One thing I thought of, is when do you do the resolution of name-to-ip?
> You may need
> to think about spoofs and DNS issues.
>
> Please think about this, as cache-poisoning, and trashy reverse-DNS is a
> real issue
> out there.
>
> LER
>