I agree with this 100%.
My plan was simply at connect time to loop through the stuff returned by
getaddrinfo looking for a matching address. Risks in terms of security and
connect time are matters for documentation, IMNSHO.
andrew
----- Original Message -----
From: "Tom Lane" <tgl@sss.pgh.pa.us>
To: "Bruno Wolff III" <bruno@wolff.to>
Cc: "Curt Sampson" <cjs@cynic.net>; "PostgreSQL Hackers Mailing List"
<pgsql-hackers@postgresql.org>
Sent: Friday, May 09, 2003 8:50 AM
Subject: Re: [HACKERS] CIDR in pg_hba.conf
> Bruno Wolff III <bruno@wolff.to> writes:
> > .... However I don't think doing just forward
> > lookups at connect time scales.
>
> Is it necessary that it scale? AFAICS, putting DNS names in pg_hba.conf
> would be a convenience feature for low-volume databases. People who are
> trying to service lots of connections would put numbers in there anyway
> for performance reasons. I'd prefer to go for simplicity here, and just
> do the lookups on demand.
>
> I think most of the objections that have been raised in this thread are
> not very applicable to real-world uses. The hosts you are going to be
> granting database access to are usually nearby ones, and the DNS server
> you are going to be consulting is not only nearby but authoritative for
> those names. So I think both the speed and security issues are being
> overstated. Indeed we should mention them prominently in the docs, but
> we should not overengineer the implementation.
>
