Marc G. Fournier wrote:
On Sun, 1 Jan 2006, Tom Lane wrote:
I was reminded of $subject by
http://archives.postgresql.org/pgsql-admin/2006-01/msg00002.php
While I haven't tried it, I suspect that allowing a DNS host name
would take little work (basically removing the AI_NUMERICHOST flag
passed to getaddrinfo in hba.c). There was once a good reason not
to allow it: slow DNS lookups would lock up the postmaster. But
now that we do this work in an already-forked backend, with an overall
timeout that would catch any indefinite blockage, I don't see a good
reason why we shouldn't let people use DNS names.
Thoughts?
Security?
I'd bet most pg_hba.conf entries will be (private) networks, not hosts.
Since private networks defined in DNS are probably quite rare, only few
people could benefit.
Those who *do* define specific host entries, are probably quite security
aware. They might find DNS safe for their purposes, but they'd probably
like a function that shows the resulting hba entries after DNS resolution.
Routers/firewalls that allow DNS names will usually resolve them
immediately, and store the IP addresses.
Regards,
Andreas
---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster
