| From: | Andreas Pflug <pgadmin(at)pse-consulting(dot)de> |
|---|---|
| To: | "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgreSQL(dot)org |
| Subject: | Re: Why don't we allow DNS names in pg_hba.conf? |
| Date: | 2006-01-01 20:03:00 |
| Message-ID: | 43B83574.3030607@pse-consulting.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Marc G. Fournier wrote:
> On Sun, 1 Jan 2006, Tom Lane wrote:
>
>> I was reminded of $subject by
>> http://archives.postgresql.org/pgsql-admin/2006-01/msg00002.php
>>
>> While I haven't tried it, I suspect that allowing a DNS host name
>> would take little work (basically removing the AI_NUMERICHOST flag
>> passed to getaddrinfo in hba.c). There was once a good reason not
>> to allow it: slow DNS lookups would lock up the postmaster. But
>> now that we do this work in an already-forked backend, with an overall
>> timeout that would catch any indefinite blockage, I don't see a good
>> reason why we shouldn't let people use DNS names.
>>
>> Thoughts?
>
>
> Security?
I'd bet most pg_hba.conf entries will be (private) networks, not hosts.
Since private networks defined in DNS are probably quite rare, only few
people could benefit.
Those who *do* define specific host entries, are probably quite security
aware. They might find DNS safe for their purposes, but they'd probably
like a function that shows the resulting hba entries after DNS resolution.
Routers/firewalls that allow DNS names will usually resolve them
immediately, and store the IP addresses.
Regards,
Andreas
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2006-01-01 20:04:47 | Re: Why don't we allow DNS names in pg_hba.conf? |
| Previous Message | Martijn van Oosterhout | 2006-01-01 19:02:03 | Re: Why don't we allow DNS names in pg_hba.conf? |