Re: CIDR in pg_hba.conf

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Bruno Wolff III <bruno(at)wolff(dot)to>
Cc: Curt Sampson <cjs(at)cynic(dot)net>, PostgreSQL Hackers Mailing List <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: CIDR in pg_hba.conf
Date: 2003-05-09 12:50:38
Message-ID: 29933.1052484638@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Bruno Wolff III <bruno(at)wolff(dot)to> writes:
> .... However I don't think doing just forward
> lookups at connect time scales.

Is it necessary that it scale? AFAICS, putting DNS names in pg_hba.conf
would be a convenience feature for low-volume databases. People who are
trying to service lots of connections would put numbers in there anyway
for performance reasons. I'd prefer to go for simplicity here, and just
do the lookups on demand.

I think most of the objections that have been raised in this thread are
not very applicable to real-world uses. The hosts you are going to be
granting database access to are usually nearby ones, and the DNS server
you are going to be consulting is not only nearby but authoritative for
those names. So I think both the speed and security issues are being
overstated. Indeed we should mention them prominently in the docs, but
we should not overengineer the implementation.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Andrew Dunstan 2003-05-09 13:14:21 Re: CIDR in pg_hba.conf
Previous Message Bruno Wolff III 2003-05-09 12:23:10 Re: CIDR in pg_hba.conf