| From: | Bruno Wolff III <bruno(at)wolff(dot)to> |
|---|---|
| To: | Larry Rosenman <ler(at)lerctr(dot)org> |
| Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, PostgreSQL Hackers Mailing List <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: CIDR in pg_hba.conf |
| Date: | 2003-05-08 13:17:24 |
| Message-ID: | 20030508131724.GA1451@wolff.to |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, May 07, 2003 at 16:11:01 -0500,
Larry Rosenman <ler(at)lerctr(dot)org> wrote:
>
> a paranoid lookup: name->ip->name and make sure it's sane.
> (My abuse/security/paranoid hat).
You don't have to do paranoid lookups when starting with a forward address.
You need to do paranoid lookups when starting with a reverse address.
The reason to start with a reverse address is it may be too costly to
just try forward addresses until you get a match.
However this might be relevant to hba.conf. If there are lots of forward
addresses in the file and the plan is to check them at connection time
instead of server start time, then it may be a good idea to do a reverse
lookup for efficiency.
If you do start with a reverse lookup this will cause problems for people
that don't control their reverse DNS and to some extent for machines
that have several A records pointing to their IP address, since you really
should only have one PTR record (since there is software that assumes there
is only one) and you will need to be careful to use the matching A record
in hba.conf.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Treat | 2003-05-08 13:34:53 | Re: CIDR in pg_hba.conf |
| Previous Message | Jan Wieck | 2003-05-08 13:14:31 | Re: 7.4 features list |