On Wed, May 07, 2003 at 15:12:42 -0400, Andrew Dunstan <andrew@dunslane.net> wrote:
> My slightly cursory look at the relevant section of hba.c suggests that the
> resolution would done at connect time, not at file parse time - I'm sure
> someone will correct me if I'm wrong.
>
> I wasn't going to do reverse lookup - do you think we should? Basically I
> was going to match if a forward mapping of the DNS name matched the socket
> address.
There isn't a reason to do reverse lookups in this case. It will just
make things harder to use (in the case where there are multiple A
records pointing to the same IP address) and won't add any useful
security.
> The other issue is that doing an address lookup has the potential to add
> hugely to the time taken to establish connections - CNAMEs will make this
> worse, caching will make it better. Using reverse lookups would
> significantly increase this impact.
Once your local DNS cache has the A records cached the slowdown should
be minimal.
> Maybe we need to think a bit harder about this. Or at the very least put a
> prominent warning in the docs and sample files, just like Apache does in
> relation to the same issue for log files etc.
Yes there should be something about possible delays in the docs as well
as mentioning that the domain to IP address translation happens at
connect time, not server start up.