Re: Why don't we allow DNS names in pg_hba.conf?

Mark Woodward wrote:

>>Mark Woodward wrote:
>>
>>
>>
>>>>If I am a road warrior I want to be able to connect, run my dynamic dns
>>>>client, and go.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>In your scenario of working as a road warrior, you are almost
>>>certainly not going to be able to have a workable DNS host name unless
>>>you
>>>have a raw internet IP address. More than likely you will have an IP
>>>address (known to your laptop) as a 192 or 10 address.
>>>
>>>
>>>
>>Nonsense. There is a dynamic DNS client that is quite smart enough to
>>find out and use the gateway address. See:
>>http://ddclient.sourceforge.net/
>>
>>I'm sure there are others, including some for Windows.
>>
>>
>>
>
>But then, there is another problem, if you don't have a real and true IP
>address, if you are on anonymous 192 or 10 net (most likely the case),
>then your dynamic DNS entry allows EVERYONE on your network the same
>access.
>
>I still say an SSH tunnel with port forwarding is more secure, besides you
>can even compress the data stream.
>
>
>
>

And then you have to allow shell access. What's wrong with SSL with
client certificates?

Personally, I doubt there's any great use case for DNS names. Like Tom
says, if it involves much more that removing the AI_NUMERICHOST hint
then let's forget it.

(I also agree with a point Jan sometimes makes - that end client s/w
generally should not be talking to the db at all - that's what
middleware is for. Then this whole discussion becomes moot.)

cheers

andrew