Re: Are dns CNAME's allowed or useable in pg_hba.conf hostname specification

Thanks for the quick reply. Here’s some details on how we have things configured.

We are using RHEL 7.3, the DNS names below have been changed to protect the innocent or not so innocent depending on your point of view.

If I do a nslookup on the database host against the following CNAME some-cname-host.example.com <http://some-cname-host.example.com/> I get:

$> nslookup some-cname-host.example.com <http://some-cname-host.example.com/>
Server: 10.97.40.215
Address: 10.97.40.215#53

some-cname-host.example.com canonical name = canonical-host-name.example.com.
Name: canonical-host-name.example.com
Address: 10.65.160.213

When I do the reverse lookup on the IP address return above I get the following:

$> nslookup 10.65.160.213
Server: 10.97.40.215
Address: 10.97.40.215#53

213.160.65.10.in-addr.arpa name = canonical-host-name.example.com.

In our pg_hba.conf I have a line:

# TYPE DATABASE USER ADDRESS METHOD
hostssl replication streaming_user_name some-cname-host.example.com <http://some-cname-host.example.com/>

But when I try to connect as the streaming_user_name with the following command, I get the following error (postgresql_hostname is the host where I ran the nslookups above):

bash-4.2$ psql -U streaming_user_name -h postgresql_hostname -c "IDENTIFY_SYSTEM" replication=1

psql: FATAL: no pg_hba.conf entry for replication connection from host "10.65.160.213", user "streaming_user_name", SSL on
FATAL: no pg_hba.conf entry for replication connection from host "10.65.160.213", user "streaming_user_name", SSL off

So I am not sure what I would need to fix or add on the database host to allow it to resolve the CNAME in way the postgres instance could use it and have it pass the validation rules from the documentation. Am I missing something in the DNS configurations?

> On Dec 5, 2016, at 3:56 PM, Scott Whitney <scott(at)journyx(dot)com> wrote:
>
> Honestly, if your DNS is properly setup, it should work fine, yes.
>
>
> From: pgsql-admin-owner(at)postgresql(dot)org <pgsql-admin-owner(at)postgresql(dot)org> on behalf of dennisr(at)visi(dot)com <dennisr(at)visi(dot)com>
> Sent: Monday, December 5, 2016 3:49 PM
> To: pgsql-admin(at)postgresql(dot)org
> Subject: [ADMIN] Are dns CNAME's allowed or useable in pg_hba.conf hostname specification
>
> From reading the doc’s it looks like a CNAME will not in general work as a hostname specification in pg_hba.conf. Is that a correct interpretation of the the documentation?
>
> From the doc’s ( <applewebdata://41AE75A7-280D-4198-80B2-06378CDDBF25>https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
>
> If a host name is specified (anything that is not an IP address range or a special key word is treated as a host name), that name is compared with the result of a reverse name resolution of the client's IP address (e.g., reverse DNS lookup, if DNS is used). Host name comparisons are case insensitive. If there is a match, then a forward name resolution (e.g., forward DNS lookup) is performed on the host name to check whether any of the addresses it resolves to are equal to the client's IP address. If both directions match, then the entry is considered to match. (The host name that is used in pg_hba.conf should be the one that address-to-name resolution of the client's IP address returns, otherwise the line won't be matched. Some host name databases allow associating an IP address with multiple host names, but the operating system will only return one host name when asked to resolve an IP address.)
>
>
>
> --
> Sent via pgsql-admin mailing list (pgsql-admin(at)postgresql(dot)org <mailto:pgsql-admin(at)postgresql(dot)org>)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin <http://www.postgresql.org/mailpref/pgsql-admin>
>
>
> Journyx, Inc.
> 7600 Burnet Road #300
> Austin, TX 78757
> www.journyx.com <http://www.journyx.com/>
>
> p 512.834.8888
> f 512-834-8858
>
> Do you receive our promotional emails? You can subscribe or unsubscribe to those emails at http://go.journyx.com/emailPreference/e/4932/714/ <http://go.journyx.com/emailPreference/e/4932/714/>