Re: Why don't we allow DNS names in pg_hba.conf?

Euler Taveira de Oliveira wrote:

>--- "Jim C. Nasby" <jnasby(at)pervasive(dot)com> escreveu:
>
>
>
>>I don't know if the normal DNS libraries allow this, but it would be
>>cool if you could specify that an entry in pg_hba.conf could be
>>looked
>>up from /etc/hosts, but not from generic DNS. AFAIK that would
>>eliminate
>>the possibility of spoofing.
>>
>>
>>
>Take a look at 'man /etc/host.conf'.
>
>
>
>

That won't work for per application settings. I think this is a non starter.

I have been thinking more about possible real world use cases for this
facility. I suspect they will be comparatively rare. In cases where you
don't trust DNS you shouldn't use it, and in cases where you do you
probably know the address(es) anyway. If the change is simple it's worth
doing, but it's not a huge leap. The biggest wrinkle will probably be
handling names that map to multiple addresses.

One thing that bothers me slightly is that we would need to look up each
name (at least until we found a match) for each connection. If you had
lots of names in your pg_hba.conf that could be quite a hit. We need to
test this not with one but with a couple of hundred names, maybe, to see
what the hit is like.

cheers

andrew