request for help w/ ATT and terminology

Roland Dobbins rdobbins at cisco.com
Sat Jan 19 03:18:29 UTC 2008



On Jan 18, 2008, at 7:50 AM, Brandon Galbraith wrote:

> Agreed. I'd see a huge security hole in letting someone put  
> host.somewhere.net in a firewall rule in a PIX/ASA/etc. as opposed  
> to an IP, especially since it's rare to see DNSSEC in production.

It's not only a security issue, but a performance issue (both resolver  
and server) and one of practicality, as well (multiple A records for a  
single FQDN, CNAMEs, A records without matching PTRs, et. al.).  The  
performance problem would likely be even more apparent under DNSSEC,  
and the practicality issue would remain unchanged.

As smb indicated, many folks put DNS names for hosts in the config  
files and then perform a lookup and do the conversion to IP addresses  
prior to deployment (hopefully with some kind of auditing prior to  
deployment, heh).


-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice

	Culture eats strategy for breakfast.

            -- Ford Motor Company






More information about the NANOG mailing list