Re: Why don't we allow DNS names in pg_hba.conf?

Поиск
Список
Период
Сортировка
От Tom Lane
Тема Re: Why don't we allow DNS names in pg_hba.conf?
Дата
Msg-id 17937.1136310183@sss.pgh.pa.us
обсуждение исходный текст
Ответ на Re: Why don't we allow DNS names in pg_hba.conf?  (Andrew Dunstan <andrew@dunslane.net>)
Ответы Re: Why don't we allow DNS names in pg_hba.conf?  (mark@mark.mielke.cc)
Re: Why don't we allow DNS names in pg_hba.conf?  (Tino Wildenhain <tino@wildenhain.de>)
Список pgsql-hackers
Дерево обсуждения 
Andrew Dunstan <andrew@dunslane.net> writes:
> One thing that bothers me slightly is that we would need to look up each 
> name (at least until we found a match) for each connection. If you had 
> lots of names in your pg_hba.conf that could be quite a hit.

A possible answer to that is to *not* look up the names from
pg_hba.conf, but instead restrict the feature to matching the
reverse-DNS name of the client.  This limits the cost to one lookup per
connection instead of N (and it'd be essentially free if you have
log_hostnames turned on, since we already do that lookup in that case).

I'm not sure about the relative usefulness of this compared to the
forward-lookup case, nor whether it's riskier or less risky from a
spoofing point of view.  But something to consider.
        regards, tom lane

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Tom Lane
Дата:
Сообщение: Re: [Bizgres-general] WAL bypass for INSERT, UPDATE and
Следующее
От: mark@mark.mielke.cc
Дата:
Сообщение: Re: Why don't we allow DNS names in pg_hba.conf?