Peter Eisentraut <pete...@gmx.net> writes: > On tis, 2010-08-10 at 10:39 -0400, Tom Lane wrote: >> I was about to complain about that same thing. ISTM the logic ought >> to be that you do a forward DNS lookup on the name presented in >> pg_hba.conf, and if any of the returned IP addresses match the >> connection's remote IP address, then you have a match. This business >> with doing a reverse lookup is at least twice as expensive, far more >> fragile, and it seems completely bogus from a security viewpoint.
> If you have hundreds on lines in pg_hba.conf, then you need to do > hundreds of DNS lookups per connection attempt (*), and each of those > lookups could result in even more IP addresses, or could time out. If you have a configuration that would actually require that, then you would have a case for using a wildcard. My complaint is that you're trying to force everyone to pay for that feature whether it's of use to them or not. I think it's at least as likely that typical setups would need exactly *one*, non wildcard, entry, to wit appserver.mycompany.com (which'd necessarily yield IPs for all the machines running your app server code). regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers