Re: Why don't we allow DNS names in pg_hba.conf?
| От | Tom Lane |
|---|---|
| Тема | Re: Why don't we allow DNS names in pg_hba.conf? |
| Дата | |
| Msg-id | 17937.1136310183@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: Why don't we allow DNS names in pg_hba.conf? (Andrew Dunstan <andrew@dunslane.net>) |
| Ответы |
Re: Why don't we allow DNS names in pg_hba.conf?
Re: Why don't we allow DNS names in pg_hba.conf? |
| Список | pgsql-hackers |
Andrew Dunstan <andrew@dunslane.net> writes:
> One thing that bothers me slightly is that we would need to look up each
> name (at least until we found a match) for each connection. If you had
> lots of names in your pg_hba.conf that could be quite a hit.
A possible answer to that is to *not* look up the names from
pg_hba.conf, but instead restrict the feature to matching the
reverse-DNS name of the client. This limits the cost to one lookup per
connection instead of N (and it'd be essentially free if you have
log_hostnames turned on, since we already do that lookup in that case).
I'm not sure about the relative usefulness of this compared to the
forward-lookup case, nor whether it's riskier or less risky from a
spoofing point of view. But something to consider.
regards, tom lane
В списке pgsql-hackers по дате отправления: