| From: | Larry Rosenman <ler(at)lerctr(dot)org> |
|---|---|
| To: | Andrew Dunstan <andrew(at)dunslane(dot)net>, PostgreSQL Hackers Mailing List <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: CIDR in pg_hba.conf |
| Date: | 2003-05-07 19:45:37 |
| Message-ID: | 106130000.1052336737@lerlaptop.iadfw.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
--On Wednesday, May 07, 2003 15:12:42 -0400 Andrew Dunstan
<andrew(at)dunslane(dot)net> wrote:
> My slightly cursory look at the relevant section of hba.c suggests that
> the resolution would done at connect time, not at file parse time - I'm
> sure someone will correct me if I'm wrong.
I think it needs to be done at file parse time, and double-reverse tested.
And re-parse on SIGHUP.
>
> I wasn't going to do reverse lookup - do you think we should? Basically I
> was going to match if a forward mapping of the DNS name matched the socket
> address.
It can be spoofed then. You would need to double-reverse check it.
>
> The other issue is that doing an address lookup has the potential to add
> hugely to the time taken to establish connections - CNAMEs will make this
> worse, caching will make it better. Using reverse lookups would
> significantly increase this impact.
Another reason to do it at FILE PARSE time, so that we don't do it as
often.
>
> Maybe we need to think a bit harder about this. Or at the very least put a
> prominent warning in the docs and sample files, just like Apache does in
> relation to the same issue for log files etc.
Being in the ISP biz, and also running DNS for folks, I figured I'd raise
the issue.
I was thinking file parse time, so you could turn the records into /32's in
the parsed
representation. Also, what about **MULTIPLE** A records for the same name?
LER
>
> andrew
>
>
> ----- Original Message -----
> From: "Larry Rosenman" <ler(at)lerctr(dot)org>
>
>> One thing I thought of, is when do you do the resolution of name-to-ip?
>> You may need
>> to think about spoofs and DNS issues.
>>
>> Please think about this, as cache-poisoning, and trashy reverse-DNS is a
>> real issue
>> out there.
>>
>> LER
>>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: subscribe and unsubscribe commands go to majordomo(at)postgresql(dot)org
>
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 972-414-9812 E-Mail: ler(at)lerctr(dot)org
US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
| From | Date | Subject | |
|---|---|---|---|
| Next Message | D'Arcy J.M. Cain | 2003-05-07 19:57:41 | Re: CIDR in pg_hba.conf |
| Previous Message | Michael Brusser | 2003-05-07 19:31:07 | could not read transaction log directory ...? |