Re: TODO Item: Allow pg_hba.conf to specify host names along with IP addresses

On Fri, Jun 13, 2008 at 4:30 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Andrew Dunstan <andrew@dunslane.net> writes:
>> The reason it wasn't done years ago was that there was disagreement on
>> the way it should work. And the TODO actually lists several alternatives:
>
> IIRC, the major reason there was disagreement was the prospect of
> unacceptable performance from any of the easy or obvious
> implementations.  As Andrew S notes, you can't just do the lookups
> once at postmaster start; but resolving a pile of hostnames during
> each connection is pretty unpleasant, especially if the DNS server
> isn't local.  (And then there are the effective-DOS implications if
> the DNS server is down altogether.)

Yes, if DNS server is down during a init connection, or server
startup, we can have problems.

> The attraction of the reverse-lookup approach is that you do only
> one lookup, on the actual connection IP, rather than having to
> resolve every hostname in the file to see if it matches.

SSH uses an approach like that.

> However that way had disadvantages of its own, which I don't recall at the
> moment.  I think at least some of the issues had to do with security,
> ie how much can you trust an answer from a remote DNS server.
> Check the archives before you start implementing ...

I'm seeing alternatives and studing the code and the email replies,
but not start coding yet.

Thanks Tom.

-- 
[]s
Dickson S. Guedes
-------------------------------------
Projeto Colmeia - Curitiba - PR
(41) 3254-7130 ramal: 27
http://makeall.wordpress.com/
http://pgcon.postgresql.org.br/
http://planeta.postgresql.org.br/