Re: Why don't we allow DNS names in pg_hba.conf?

Mark Woodward wrote:

>>Mark Woodward wrote:
>>
>>    
>>
>>>>If I am a road warrior I want to be able to connect, run my dynamic dns
>>>>client, and go.
>>>>
>>>>
>>>>
>>>>        
>>>>
>>>In your scenario of working as a road warrior, you are almost
>>>certainly not going to be able to have a workable DNS host name unless
>>>you
>>>have a raw internet IP address. More than likely you will have an IP
>>>address (known to your laptop) as a 192 or 10 address.
>>>
>>>      
>>>
>>Nonsense. There is a dynamic DNS client that is quite smart enough to
>>find out and use the gateway address. See:
>>http://ddclient.sourceforge.net/
>>
>>I'm sure there are others, including some for Windows.
>>
>>    
>>
>
>But then, there is another problem, if you don't have a real and true IP
>address, if you are on anonymous 192 or 10 net (most likely the case),
>then your dynamic DNS entry allows EVERYONE on your network the same
>access.
>
>I still say an SSH tunnel with port forwarding is more secure, besides you
>can even compress the data stream.
>
>
>  
>

And then you have to allow shell access. What's wrong with SSL with 
client certificates?

Personally, I doubt there's any great use case for DNS names. Like Tom 
says, if it involves much more that removing the AI_NUMERICHOST hint 
then let's forget it.

(I also agree with a point Jan sometimes makes - that end client s/w 
generally should not be talking to the db at all - that's what 
middleware is for. Then this whole discussion becomes moot.)

cheers

andrew