Peter Eisentraut <pete...@gmx.net> writes:
> On tis, 2010-08-10 at 10:39 -0400, Tom Lane wrote:
>> I was about to complain about that same thing. ISTM the logic ought
>> to be that you do a forward DNS lookup on the name presented in
>> pg_hba.conf, and if any of the returned IP addresses match the
>> connection's remote IP address, then you have a match. This business
>> with doing a reverse lookup is at least twice as expensive, far more
>> fragile, and it seems completely bogus from a security viewpoint.
> If you have hundreds on lines in pg_hba.conf, then you need to do
> hundreds of DNS lookups per connection attempt (*), and each of those
> lookups could result in even more IP addresses, or could time out.
If you have a configuration that would actually require that, then you
would have a case for using a wildcard. My complaint is that you're
trying to force everyone to pay for that feature whether it's of use to
them or not. I think it's at least as likely that typical setups would
need exactly *one*, non wildcard, entry, to wit appserver.mycompany.com
(which'd necessarily yield IPs for all the machines running your app
server code).
regards, tom lane
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
