On Thu, 17 Jan 2008 17:35:30 -0500 Valdis.Kletnieks@vt.edu wrote:
On Thu, 17 Jan 2008 21:29:37 GMT, "Steven M. Bellovin" said:
You don't always want to rely on the DNS for things like firewalls and ACLs. DNS responses can be spoofed, the servers may not be available, etc. (For some reason, I'm assuming that DNSsec isn't being used...)
Been there, done that, plus enough other "stupid DNS tricks" and "stupid /etc/host tricks" to get me a fair supply of stories best told over a pitcher of Guinness down at the Undergroud..
I prefer nice, hoppy ales to Guiness, but either works for stories..
*Choosing* to hardcode rather than use DNS is one thing. *Having* to hardcode because the gear is "too stupid" (as Joe Greco put it) is however "Caveat emptor" no matter how you slice it...
Mostly. I could make a strong case that some security gear shouldn't let you do the wrong thing. (OTOH, my preferred interface would do the DNS look-up at config time, and ask you to confirm the retrieved addresses.) You can even do that look-up on a protected net in some cases. --Steve Bellovin, http://www.cs.columbia.edu/~smb