| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Aidan Van Dyk <aidan(at)highrise(dot)ca> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: host name support in pg_hba.conf |
| Date: | 2010-08-10 15:39:37 |
| Message-ID: | 20100810153937.GE26232@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Aidan Van Dyk (aidan(at)highrise(dot)ca) wrote:
> The PTR query is a means to get the "hostname" to check against, so you
> d'nt have to pre-cache all thos possible results of all the hostnames.
> Pre-caching all the hostnames in pg_hba.conf is madness. How long do
> you cache them for? or do send out 1000 queries every connection? You
> can't support wildcards, or anythign usefull...
>
> AFAIK, every software I've used which allows hostnames as some
> connection control all do PTR->A/AAAA lookups as Peter proposed.
Completely agreed. It's madness to precache all thse hostnames, but we
need to figure out the hostname, thus, rDNS is used. The forward lookup
is then to double-check that it matches. This is exactly how Kerberos
works also. You certainly don't want to be repeatedly doing rDNS
lookups to see if maybe that IP has other hosts. I also don't buy that
there's an issue with setting up your rDNS to go to what you put in the
pg_hba and then having the forward of that include the IP; again, it's
how Kerberos works, and even if you don't believe in Kerberos, I hope
you realize it's kind of popular.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2010-08-10 15:45:18 | Re: host name support in pg_hba.conf |
| Previous Message | Alvaro Herrera | 2010-08-10 15:32:23 | Re: patch: Add JSON datatype to PostgreSQL (GSoC, WIP) |