request for help w/ ATT and terminology
Roland Dobbins
rdobbins at cisco.com
Sat Jan 19 03:18:29 UTC 2008
On Jan 18, 2008, at 7:50 AM, Brandon Galbraith wrote:
> Agreed. I'd see a huge security hole in letting someone put
> host.somewhere.net in a firewall rule in a PIX/ASA/etc. as opposed
> to an IP, especially since it's rare to see DNSSEC in production.
It's not only a security issue, but a performance issue (both resolver
and server) and one of practicality, as well (multiple A records for a
single FQDN, CNAMEs, A records without matching PTRs, et. al.). The
performance problem would likely be even more apparent under DNSSEC,
and the practicality issue would remain unchanged.
As smb indicated, many folks put DNS names for hosts in the config
files and then perform a lookup and do the conversion to IP addresses
prior to deployment (hopefully with some kind of auditing prior to
deployment, heh).
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
Culture eats strategy for breakfast.
-- Ford Motor Company
More information about the NANOG
mailing list