Re: CIDR in pg_hba.conf

I agree with this 100%.

My plan was simply at connect time to loop through the stuff returned by
getaddrinfo looking for a matching address. Risks in terms of security and
connect time are matters for documentation, IMNSHO.

andrew

----- Original Message -----
From: "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Bruno Wolff III" <bruno(at)wolff(dot)to>
Cc: "Curt Sampson" <cjs(at)cynic(dot)net>; "PostgreSQL Hackers Mailing List"
<pgsql-hackers(at)postgresql(dot)org>
Sent: Friday, May 09, 2003 8:50 AM
Subject: Re: [HACKERS] CIDR in pg_hba.conf

> Bruno Wolff III <bruno(at)wolff(dot)to> writes:
> > .... However I don't think doing just forward
> > lookups at connect time scales.
>
> Is it necessary that it scale? AFAICS, putting DNS names in pg_hba.conf
> would be a convenience feature for low-volume databases. People who are
> trying to service lots of connections would put numbers in there anyway
> for performance reasons. I'd prefer to go for simplicity here, and just
> do the lookups on demand.
>
> I think most of the objections that have been raised in this thread are
> not very applicable to real-world uses. The hosts you are going to be
> granting database access to are usually nearby ones, and the DNS server
> you are going to be consulting is not only nearby but authoritative for
> those names. So I think both the speed and security issues are being
> overstated. Indeed we should mention them prominently in the docs, but
> we should not overengineer the implementation.
>