[101831] in North American Network Operators' Group
Re: request for help w/ ATT and terminology
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Fri Jan 18 22:25:43 2008
From: Roland Dobbins <rdobbins@cisco.com>
To: NANOG <nanog@merit.edu>
In-Reply-To: <366100670801171550h1f3e04bds710a7f056141bd22@mail.gmail.com>
Date: Sat, 19 Jan 2008 11:18:29 +0800
Errors-To: owner-nanog@merit.edu
On Jan 18, 2008, at 7:50 AM, Brandon Galbraith wrote:
> Agreed. I'd see a huge security hole in letting someone put
> host.somewhere.net in a firewall rule in a PIX/ASA/etc. as opposed
> to an IP, especially since it's rare to see DNSSEC in production.
It's not only a security issue, but a performance issue (both resolver
and server) and one of practicality, as well (multiple A records for a
single FQDN, CNAMEs, A records without matching PTRs, et. al.). The
performance problem would likely be even more apparent under DNSSEC,
and the practicality issue would remain unchanged.
As smb indicated, many folks put DNS names for hosts in the config
files and then perform a lookup and do the conversion to IP addresses
prior to deployment (hopefully with some kind of auditing prior to
deployment, heh).
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice
Culture eats strategy for breakfast.
-- Ford Motor Company
