Pointing to a CNAME is iffy. What happens if the A record that the CNAME points to is removed or changed? Then the CNAME is broken, thus breaking the NS record. And from the most pragmatic point of view, BIND 9.x and many of the newer versions of DNS servers coming up won't look up these records, because of a failure in RFC compliance. Basically, looking up glue records to find the host's IP (or vice versa) is time consuming and not all that reliable or secure. Depending on glue records means that there is a chance that the recursive lookup server may pull bogus data, forwarding you to an IP that is incorrect, or worse, a mocked up, bogus phishing site, for example. By making sure that your NS records are A records, you can reduce the chances that your site's visitors are getting the information on finding your site from the proper authoritative source, and it's much more difficult for attackers to exploit.
Make sense? Regards, Ben Pitzer --------------------------------------------- "Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." --Ben Franklin-- > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of Lisa Lorenzin > Sent: Tuesday, January 27, 2004 10:28 AM > To: Triangle Linux Users Group discussion list > Subject: RE: [TriLUG] OT: DSL for SOHO in Chapel Hill > > > > > 1. Make sure that your domain points to the A record hostnames > for your DNS > > provider. All too often I come across zones that are pointed > to CNAMES in > > their NS or SOA records. This is very bad, and most BIND 9.x > servers will > > fail to look your domain up in this circumstance. > > does anybody know what technical problem is caused by having a zone point > to a CNAME? i'm not looking for "it's not in compliance with the spec" - > i understand that. i'm curious why the spec is written that way, and what > problem they're trying to solve or avoid... it's something i've never > understood. > > regards, > > lisa > > > -- > lisa lorenzin | [EMAIL PROTECTED] | http://www.1000plus.com/lisa/ > of what avail is an open eye if the heart is blind? - solomon ibn gavirol > > -- > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > TriLUG Organizational FAQ : http://trilug.org/faq/ > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc > > -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
