"Kevin Grittner" <kevin.gritt...@wicourts.gov> writes: > Without the logic to ensure that the hostname matches the reverse > lookup, this might be useful for us. With that logic it is useless > for us. I'm wondering how much you gain by having it in there. Why > can't a forward lookup which matches the requesting IP be considered > sufficient?
I was about to complain about that same thing. ISTM the logic ought to be that you do a forward DNS lookup on the name presented in pg_hba.conf, and if any of the returned IP addresses match the connection's remote IP address, then you have a match. This business with doing a reverse lookup is at least twice as expensive, far more fragile, and it seems completely bogus from a security viewpoint. Why should I trust the RDNS server for an attacker's IP address? regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers