On Jan 18, 2008, at 7:50 AM, Brandon Galbraith wrote:
Agreed. I'd see a huge security hole in letting someone put
host.somewhere.net in a firewall rule in a PIX/ASA/etc. as opposed
to an IP, especially since it's rare to see DNSSEC in production.
It's not only a security issue, but a performance issue (both resolver
and server) and one of practicality, as well (multiple A records for a
single FQDN, CNAMEs, A records without matching PTRs, et. al.). The
performance problem would likely be even more apparent under DNSSEC,
and the practicality issue would remain unchanged.
As smb indicated, many folks put DNS names for hosts in the config
files and then perform a lookup and do the conversion to IP addresses
prior to deployment (hopefully with some kind of auditing prior to
deployment, heh).
-----------------------------------------------------------------------
Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice
Culture eats strategy for breakfast.
-- Ford Motor Company
