North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: request for help w/ ATT and terminology

  • From: Roland Dobbins
  • Date: Fri Jan 18 22:26:38 2008
  • Authentication-results: hkg-dkim-1; [email protected]; dkim=pass ( sig from verified; );
  • Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=1059; t=1200712719; x=1201576719; c=relaxed/simple; s=hkgdkim1002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;; [email protected]; z=From:=20Roland=20Dobbins=20<[email protected]> |Subject:=20Re=3A=20request=20for=20help=20w/=20ATT=20and=2 0terminology |Sender:=20; bh=Eu0bUEeGMDqlSkqArEVxwz4l+uPLffPmcxNLM/c6l5E=; b=NiTt6+sbVsVwOrZnWd9m94nO2KdhK9YaUIeQ1yorz8tPwpAaJ8kLCH5aSY srb8h3yYIdCxxcRnT7iDRWHZqRDZ5zd30i4qw4x6vWntHkvJ2nT8+NrAQxbs o4TKhJg6xAPJsMCG0/F+YucCYjZpLRw70W+vGfFW4dOWYfqa0Dkqg=;

On Jan 18, 2008, at 7:50 AM, Brandon Galbraith wrote:

Agreed. I'd see a huge security hole in letting someone put in a firewall rule in a PIX/ASA/etc. as opposed to an IP, especially since it's rare to see DNSSEC in production.

It's not only a security issue, but a performance issue (both resolver and server) and one of practicality, as well (multiple A records for a single FQDN, CNAMEs, A records without matching PTRs, et. al.). The performance problem would likely be even more apparent under DNSSEC, and the practicality issue would remain unchanged.

As smb indicated, many folks put DNS names for hosts in the config files and then perform a lookup and do the conversion to IP addresses prior to deployment (hopefully with some kind of auditing prior to deployment, heh).

----------------------------------------------------------------------- Roland Dobbins <[email protected]> // 408.527.6376 voice

Culture eats strategy for breakfast.

-- Ford Motor Company