Re: CIDR in pg_hba.conf
| От | Bruno Wolff III |
|---|---|
| Тема | Re: CIDR in pg_hba.conf |
| Дата | |
| Msg-id | 20030508131724.GA1451@wolff.to обсуждение исходный текст |
| Ответ на | Re: CIDR in pg_hba.conf (Larry Rosenman <ler@lerctr.org>) |
| Список | pgsql-hackers |
On Wed, May 07, 2003 at 16:11:01 -0500, Larry Rosenman <ler@lerctr.org> wrote: > > a paranoid lookup: name->ip->name and make sure it's sane. > (My abuse/security/paranoid hat). You don't have to do paranoid lookups when starting with a forward address. You need to do paranoid lookups when starting with a reverse address. The reason to start with a reverse address is it may be too costly to just try forward addresses until you get a match. However this might be relevant to hba.conf. If there are lots of forward addresses in the file and the plan is to check them at connection time instead of server start time, then it may be a good idea to do a reverse lookup for efficiency. If you do start with a reverse lookup this will cause problems for people that don't control their reverse DNS and to some extent for machines that have several A records pointing to their IP address, since you really should only have one PTR record (since there is software that assumes there is only one) and you will need to be careful to use the matching A record in hba.conf.
В списке pgsql-hackers по дате отправления: