Re: TODO Item: Allow pg_hba.conf to specify host names along with IP addresses - Mailing list pgsql-hackers

From Andrew Sullivan
Subject Re: TODO Item: Allow pg_hba.conf to specify host names along with IP addresses
Date
Msg-id 20080616072040.GD35003@commandprompt.com
Whole thread Raw
In response to Re: TODO Item: Allow pg_hba.conf to specify host names along with IP addresses  (Peter Eisentraut <peter_e@gmx.net>)
Responses Re: TODO Item: Allow pg_hba.conf to specify host names along with IP addresses
List pgsql-hackers
On Sun, Jun 15, 2008 at 11:56:35PM +0200, Peter Eisentraut wrote:

> It would probably be a good idea to check how other programs deal with 
> hostname lookups during authentication.  Programs like SSH, Apache, and Squid 
> come to mind.

There is actually a great deal of controversy about most of this
hostname-based authentication, particularly in the absence of DNSSEC.
If anyone implementing this is interested in the controversy, I have a
huge mail archive of it (because I'm the current editor of the IETF
working group document on this, and therefore have received much hate
mail on the topic).  I think it's all summarised in the draft[1] I
mentioned upthread.  Since that's possibly about to go to IETF last
call, it'd be a good time for someone planning to implement something
to look at that document, and report on whether it provides any useful
guidance at all.  I'd be keenly interested in hearing the verdict.

A

[1]
http://tools.ietf.org/wg/dnsop/draft-ietf-dnsop-reverse-mapping-considerations/

-- 
Andrew Sullivan
ajs@commandprompt.com
+1 503 667 4564 x104
http://www.commandprompt.com/


pgsql-hackers by date:

Previous
From: Andrew Sullivan
Date:
Subject: Re: TODO Item: Allow pg_hba.conf to specify host names along with IP addresses
Next
From: ITAGAKI Takahiro
Date:
Subject: Permission of prepared statements (was: pg_stat_statements)