CNAME records in place of A records
mpalmer at hezmatt.org
Mon Nov 9 00:10:17 UTC 2020
On Fri, Nov 06, 2020 at 05:07:26AM -0500, Dovid Bender wrote:
> Sorry if this is a bit OT. Recently several different vendors (in
> completely different fields) where they white label for us asked us to
> remove A records that we have going to them and replace them with CNAME
> records. Is there anything *going around* in the security aranea that has
> caused this?
The closest thing to a *security* issue I can think of is IP agility in the
face of DDoS attacks -- most booter-style attacks are dumb as rocks, and
null-routing the target IP and moving all the customers on that IP to
another one is the easiest solution.
However, there are many *other* great reasons to get customers to CNAME onto
their SaaS vendors, including:
* No need to coordinate routine renumbering events;
* IPv6 support;
* CAA record (SSL cert issuance) support; and
* no doubt a bunch of other reasons I've forgotten for the moment.
Basically, if you sign up for a SaaS that uses your own domain and they
*don't* give you a CNAME target to point at, I'd be very cautious, because
they're either *very* new to the game, or they're probably also
operationally deficient in a lot of other areas, too.
More information about the NANOG