Re: CIDR in pg_hba.conf
| От | Larry Rosenman |
|---|---|
| Тема | Re: CIDR in pg_hba.conf |
| Дата | |
| Msg-id | 106130000.1052336737@lerlaptop.iadfw.net обсуждение исходный текст |
| Ответ на | Re: CIDR in pg_hba.conf ("Andrew Dunstan" <andrew@dunslane.net>) |
| Список | pgsql-hackers |
--On Wednesday, May 07, 2003 15:12:42 -0400 Andrew Dunstan <andrew@dunslane.net> wrote: > My slightly cursory look at the relevant section of hba.c suggests that > the resolution would done at connect time, not at file parse time - I'm > sure someone will correct me if I'm wrong. I think it needs to be done at file parse time, and double-reverse tested. And re-parse on SIGHUP. > > I wasn't going to do reverse lookup - do you think we should? Basically I > was going to match if a forward mapping of the DNS name matched the socket > address. It can be spoofed then. You would need to double-reverse check it. > > The other issue is that doing an address lookup has the potential to add > hugely to the time taken to establish connections - CNAMEs will make this > worse, caching will make it better. Using reverse lookups would > significantly increase this impact. Another reason to do it at FILE PARSE time, so that we don't do it as often. > > Maybe we need to think a bit harder about this. Or at the very least put a > prominent warning in the docs and sample files, just like Apache does in > relation to the same issue for log files etc. Being in the ISP biz, and also running DNS for folks, I figured I'd raise the issue. I was thinking file parse time, so you could turn the records into /32's in the parsed representation. Also, what about **MULTIPLE** A records for the same name? LER > > andrew > > > ----- Original Message ----- > From: "Larry Rosenman" <ler@lerctr.org> > >> One thing I thought of, is when do you do the resolution of name-to-ip? >> You may need >> to think about spoofs and DNS issues. >> >> Please think about this, as cache-poisoning, and trashy reverse-DNS is a >> real issue >> out there. >> >> LER >> > > > ---------------------------(end of broadcast)--------------------------- > TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org > -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: ler@lerctr.org US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
В списке pgsql-hackers по дате отправления: