Bruno Wolff III <bruno@wolff.to> writes:
> .... However I don't think doing just forward
> lookups at connect time scales.
Is it necessary that it scale? AFAICS, putting DNS names in pg_hba.conf
would be a convenience feature for low-volume databases. People who are
trying to service lots of connections would put numbers in there anyway
for performance reasons. I'd prefer to go for simplicity here, and just
do the lookups on demand.
I think most of the objections that have been raised in this thread are
not very applicable to real-world uses. The hosts you are going to be
granting database access to are usually nearby ones, and the DNS server
you are going to be consulting is not only nearby but authoritative for
those names. So I think both the speed and security issues are being
overstated. Indeed we should mention them prominently in the docs, but
we should not overengineer the implementation.
regards, tom lane