On tis, 2010-08-10 at 10:39 -0400, Tom Lane wrote:
> I was about to complain about that same thing. ISTM the logic ought
> to be that you do a forward DNS lookup on the name presented in
> pg_hba.conf, and if any of the returned IP addresses match the
> connection's remote IP address, then you have a match. This business
> with doing a reverse lookup is at least twice as expensive, far more
> fragile, and it seems completely bogus from a security viewpoint.
If you have hundreds on lines in pg_hba.conf, then you need to do
hundreds of DNS lookups per connection attempt (*), and each of those
lookups could result in even more IP addresses, or could time out. So
if some unrelated part of the system breaks (DNS down), it could take
you hours to establish a connection. On the other hand, with the
reverse DNS lookup, you would normally do about two DNS queries per
successful connection attempt, and those would only be in relation to
the machines actually involved in the connection. Also, if you are in a
names-only environment, you might also like to turn on log_hostnames, in
which case the reverse lookup is free (well, shared).
(*) That could of course be addressed by your earlier idea of caching
the resolved names when pg_hba.conf is read, but I don't think many
people were on board with that idea.