"Kevin Grittner" <Kevin.Grittner@wicourts.gov> writes:
> Without the logic to ensure that the hostname matches the reverse
> lookup, this might be useful for us. With that logic it is useless
> for us. I'm wondering how much you gain by having it in there. Why
> can't a forward lookup which matches the requesting IP be considered
> sufficient?
I was about to complain about that same thing. ISTM the logic ought
to be that you do a forward DNS lookup on the name presented in
pg_hba.conf, and if any of the returned IP addresses match the
connection's remote IP address, then you have a match. This business
with doing a reverse lookup is at least twice as expensive, far more
fragile, and it seems completely bogus from a security viewpoint.
Why should I trust the RDNS server for an attacker's IP address?
regards, tom lane
