Re: TODO Item: Allow pg_hba.conf to specify host names along with IP addresses

On Sun, Jun 15, 2008 at 11:56:35PM +0200, Peter Eisentraut wrote:

> It would probably be a good idea to check how other programs deal with 
> hostname lookups during authentication.  Programs like SSH, Apache, and Squid 
> come to mind.

There is actually a great deal of controversy about most of this
hostname-based authentication, particularly in the absence of DNSSEC.
If anyone implementing this is interested in the controversy, I have a
huge mail archive of it (because I'm the current editor of the IETF
working group document on this, and therefore have received much hate
mail on the topic).  I think it's all summarised in the draft[1] I
mentioned upthread.  Since that's possibly about to go to IETF last
call, it'd be a good time for someone planning to implement something
to look at that document, and report on whether it provides any useful
guidance at all.  I'd be keenly interested in hearing the verdict.

A

[1]
http://tools.ietf.org/wg/dnsop/draft-ietf-dnsop-reverse-mapping-considerations/

-- 
Andrew Sullivan
ajs@commandprompt.com
+1 503 667 4564 x104
http://www.commandprompt.com/