Re: Why don't we allow DNS names in pg_hba.conf? - Mailing list pgsql-hackers

From mark@mark.mielke.cc
Subject Re: Why don't we allow DNS names in pg_hba.conf?
Date
Msg-id 20060103181545.GA30685@mark.mielke.cc
Whole thread Raw
In response to Re: Why don't we allow DNS names in pg_hba.conf?  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: Why don't we allow DNS names in pg_hba.conf?
List pgsql-hackers
On Tue, Jan 03, 2006 at 12:43:03PM -0500, Tom Lane wrote:
> Andrew Dunstan <andrew@dunslane.net> writes:
> > One thing that bothers me slightly is that we would need to look up each 
> > name (at least until we found a match) for each connection. If you had 
> > lots of names in your pg_hba.conf that could be quite a hit.
> A possible answer to that is to *not* look up the names from
> pg_hba.conf, but instead restrict the feature to matching the
> reverse-DNS name of the client.  This limits the cost to one lookup per
> connection instead of N (and it'd be essentially free if you have
> log_hostnames turned on, since we already do that lookup in that case).

> I'm not sure about the relative usefulness of this compared to the
> forward-lookup case, nor whether it's riskier or less risky from a
> spoofing point of view.  But something to consider.

I think it's riskier. I have my own PTR records, that I can make be
whatever I wish without any authority verifying that my actions are
proper. Although, most people don't, this is because most people don't
ask for them, or don't know how or where to ask for them. The security
benefit is in the address, not in the name. The convenience is in the
name, and not the address.

I'm not seeing why forward lookups are bad. There are several options
available to controlling this, including configuring /etc/hosts to be
searched first, before DNS, using nsswitch.conf. Another option, is
to use your own DNS server, with its own zone records, such that
/etc/resolv.conf uses 127.1, which will serve my own records, before
doing a recursive lookup over the network.

It's not a big deal. I'd recommend keeping documentation, and inlined
comment warnings all over the place - but if people want to use names,
I'm not seeing the problem. They can already hang themselves, by granting
full access to the Internet, by network mask? :-)

Cheers,
mark

-- 
mark@mielke.cc / markm@ncf.ca / markm@nortel.com     __________________________
.  .  _  ._  . .   .__    .  . ._. .__ .   . . .__  | Neighbourhood Coder
|\/| |_| |_| |/    |_     |\/|  |  |_  |   |/  |_   | 
|  | | | | \ | \   |__ .  |  | .|. |__ |__ | \ |__  | Ottawa, Ontario, Canada
 One ring to rule them all, one ring to find them, one ring to bring them all                      and in the darkness
bindthem...
 
                          http://mark.mielke.cc/



pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Why don't we allow DNS names in pg_hba.conf?
Next
From: Tino Wildenhain
Date:
Subject: Re: Why don't we allow DNS names in pg_hba.conf?