Re: Why don't we allow DNS names in pg_hba.conf? - Mailing list pgsql-hackers

From Andrew Dunstan
Subject Re: Why don't we allow DNS names in pg_hba.conf?
Date
Msg-id 43F0E6ED.5030906@dunslane.net
Whole thread Raw
In response to Re: Why don't we allow DNS names in pg_hba.conf?  ("Mark Woodward" <pgsql@mohawksoft.com>)
Responses Re: Why don't we allow DNS names in pg_hba.conf?
List pgsql-hackers
Mark Woodward wrote:

>>Mark Woodward wrote:
>>
>>    
>>
>>>>If I am a road warrior I want to be able to connect, run my dynamic dns
>>>>client, and go.
>>>>
>>>>
>>>>
>>>>        
>>>>
>>>In your scenario of working as a road warrior, you are almost
>>>certainly not going to be able to have a workable DNS host name unless
>>>you
>>>have a raw internet IP address. More than likely you will have an IP
>>>address (known to your laptop) as a 192 or 10 address.
>>>
>>>      
>>>
>>Nonsense. There is a dynamic DNS client that is quite smart enough to
>>find out and use the gateway address. See:
>>http://ddclient.sourceforge.net/
>>
>>I'm sure there are others, including some for Windows.
>>
>>    
>>
>
>But then, there is another problem, if you don't have a real and true IP
>address, if you are on anonymous 192 or 10 net (most likely the case),
>then your dynamic DNS entry allows EVERYONE on your network the same
>access.
>
>I still say an SSH tunnel with port forwarding is more secure, besides you
>can even compress the data stream.
>
>
>  
>

And then you have to allow shell access. What's wrong with SSL with 
client certificates?

Personally, I doubt there's any great use case for DNS names. Like Tom 
says, if it involves much more that removing the AI_NUMERICHOST hint 
then let's forget it.

(I also agree with a point Jan sometimes makes - that end client s/w 
generally should not be talking to the db at all - that's what 
middleware is for. Then this whole discussion becomes moot.)

cheers

andrew


pgsql-hackers by date:

Previous
From: Greg Stark
Date:
Subject: Re: psql & readline & win32
Next
From: Tom Lane
Date:
Subject: Re: Why don't we allow DNS names in pg_hba.conf?