* Tom Lane <tgl@sss.pgh.pa.us> [100810 10:39]:
> I was about to complain about that same thing. ISTM the logic ought
> to be that you do a forward DNS lookup on the name presented in
> pg_hba.conf, and if any of the returned IP addresses match the
> connection's remote IP address, then you have a match. This business
> with doing a reverse lookup is at least twice as expensive, far more
> fragile, and it seems completely bogus from a security viewpoint.
> Why should I trust the RDNS server for an attacker's IP address?
Well, you don't trust the RDNS of the IP, you trust the normal lookup of
the hostname returned by the RDNS. So if some other ip network is
trying to give hostnames that should be authorized, you see that
immediately when you resolve the "authorized" hostname and it doesn't
give you that IP.
The PTR query is a means to get the "hostname" to check against, so you
d'nt have to pre-cache all thos possible results of all the hostnames.
Pre-caching all the hostnames in pg_hba.conf is madness. How long do
you cache them for? or do send out 1000 queries every connection? You
can't support wildcards, or anythign usefull...
AFAIK, every software I've used which allows hostnames as some
connection control all do PTR->A/AAAA lookups as Peter proposed.
a.
--
Aidan Van Dyk Create like a god,
aidan@highrise.ca command like a king,
http://www.highrise.ca/ work like a slave.